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Preface 


ASIACRYPT 2011, the 17th International Conference on Theory and Appli- 
cation of Cryptology and Information Security, was held during December 4-8 
in the Silla Hotel, Seoul, Republic of Korea. The conference was sponsored by 
the International Association for Cryptologic Research (IACR) in cooperation 
with Korea Institute of Information Security and Cryptology (KIISC), Digital 
Contents Society (DCS), Korea Internet Security Agency (KISA), and National 
Security Research Institute (NSRI). It was also co-sponsored by the Center for 
Information Security Technologies of Korea University (CIST), the Korean Fed- 
eration of Science and Technology Societies (KOFST), Seoul National Univer- 
sity, Electronics and Telecommunications Research Institute (ETRI), and Seoul 
Metropolitan Government. 

We received 266 valid submissions, of which 42 were accepted for publication. 
With two pairs of papers merged, these proceedings contain the revised versions 
of 40 papers. The Program Committee (PC) was aided by 243 external reviewers. 
Every paper received at least three independent reviews, and papers with PC 
contributions got five or more. Several questions from PC members to authors 
were relayed in order to increase the quality of submissions. ASIACRYPT 2011 
used a rolling Co-chair model and we made all decisions by consensus by sharing 
a great deal of e-mails. 

For the Best Paper Award, the PC selected “A Framework for Practical Uni- 
versally Composable Zero-Knowledge Protocols” by Jan Camenisch, Stephan 
Krenn, and Victor Shoup and “Counting Points on Genus 2 Curves with Real 
Multiplication” by Pierrick Gaudry, David Kohel, and Benjamin Smith. There 
were two invited talks; Joan Daemen delivered “15 Years of Rijndael” on De- 
cember 6 and Ulfar Erlingsson spoke on “Securing Cloud Computing Services” 
on December 7. 

We would like to thank the authors of all submissions regardless of whether 
their papers were accepted or not. Their work made this conference possible. 
We are extremely grateful to the PC members for their enormous investment of 
time and effort in the difficult and delicate process of review and selection. A 
list of PC members and external reviewers can be found on succeeding pages of 
this volume. We would like to thank Hyoung Joong Kim, who was the General 
Chair in charge of the local organization and finances. Special thanks go to Shai 
Halevi for providing and setting up the splendid review software. We are most 
grateful to Kwangsu Lee and Jong Hwan Park, who provided support for the 
entire ASIACRYPT 2011 process. We are also grateful to Masayuki Abe, the 
ASIACRYPT 2010 Program Chair, for his timely information and replies to the 
host of questions we posed during the process. 


September 2011 


Dong Hoon Lee 
Xiaoyun Wang 
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BKZ 2.0: Better Lattice Security Estimates 


Yuanmi Chen 1 and Phong Q. Nguyen 2 
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Abstract. The best lattice reduction algorithm known in practice for 
high dimension is Schnorr-Euchner’s BKZ: all security estimates of lattice 
cryptosystems are based on NTL’s old implementation of BKZ. However, 
recent progress on lattice enumeration suggests that BKZ and its NTL 
implementation are no longer optimal, but the precise impact on secu- 
rity estimates was unclear. We assess this impact thanks to extensive 
experiments with BKZ 2.0, the first state-of-the-art implementation of 
BKZ incorporating recent improvements, such as Gama-Nguyen-Regev 
pruning. We propose an efficient simulation algorithm to model the be- 
haviour of BKZ in high dimension with high blocksize > 50, which can 
predict approximately both the output quality and the running time, 
thereby revising lattice security estimates. For instance, our simulation 
suggests that the smallest NTRUSign parameter set, which was claimed 
to provide at least 93-bit security against key-recovery lattice attacks, 
actually offers at most 65-bit security. 


1 Introduction 

Lattices are discrete subgroups of R m . A lattice L is represented by a basis, i.e. 
a set of linearly independent vectors bi, . . . ,b„ in R m such that L is equal to 
the set L(bi, . . . , b n ) = {E?=i x J°ii x i G Z} of all integer linear combinations 
of the bj’s. The integer n is the dimension of L. The goal of lattice reduction 
is to find bases consisting of reasonably short and nearly orthogonal vectors. 
Lattice reduction algorithms have many applications (see ESI), notably public- 
key cryptanalysis where they have been used to break special cases of RSA and 
DSA, among others (see m and references therein). There are roughly two types 
of lattice reduction algorithms: 

— Approximation algorithms like the celebrated LLL algorithm [22135] . and its 
blockwise generalizations [41 1421718] . Such algorithms find relatively short 
vectors, but usually not shortest vectors in high dimension. 

- Exact algorithms to output shortest or nearly shortest vectors. There are 
space-efficient enumeration algorithms [3812016142143110] and exponential- 
space algorithms [3l36l31)l2~!lj . the latter being outperformed in practice by 
the former despite their better asymptotic running time 2°( n \ 

D.H. Lee and X. Wang (Eds.): ASIACRYPT 2011, LNCS 7073, pp. I- I20] 2011. 

© International Association for Cryptologic Research 2011 
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In high dimension, only approximation algorithms can be run, but both types are 
complementary: approximation algorithms use exact algorithms as subroutines, 
and exact algorithms use approximation algorithms as preprocessing. In theory, 
the best approximation algorithm is Gama-Nguyen’s reduction jHj. But experi- 
ments (such as that of |2|, or the cryptanalyses [3 1 12 1 j of GGH challenges m) 
suggest that the best approximation algorithm known in practice for high dimen- 
sion is BKZ, published by Schnorr and Euchner in 1994 E21, and implemented 
in NTL jHj . Like all blockwise algorithms [41 1718 j , BKZ has an additional input 
parameter - the blocksize [3 - which impacts both the running time and the 
output quality: BKZ calls many times an enumeration subroutine |38l20lfil42| . 
which looks for nearly-shortest vectors in projected lattices of dimension < (3. 
As (3 increases, the output basis becomes more and more reduced, but the cost 
increases significantly: the cost of the enumeration subroutine is typically super- 
exponential in f3, namely 2°^ ) polynomial-time operations (see (U3): and ex- 
periments jSj show that the number of calls increases sharply with both [3 and the 
lattice dimension n : for fixed (3 > 30, the number of calls looks superpolynomial 
if not exponential in n. This leads to two typical uses of BKZ: 

1 . A small blocksize (3 around 20 in any dimension n, or a medium blocksize (3 
around 30-40 in medium dimension n (say, around 100 at most). Here, BKZ 
terminates in a reasonable time, and is routinely used to improve the quality 
of an LLL-reduced basis. 

2. A high blocksize /? > 40 in high dimension n, to find shorter and shorter 
lattice vectors. Here, BKZ does not terminate in a reasonable time, and the 
computation is typically aborted after say, a few hours or days, with the 
hope that the current basis is good enough for the application: we note that 
Hanrot et al. M recently proved worst-case bounds for the output quality of 
aborted-BKZ, which are only slightly worse than full-BKZ. And one usually 
speeds up the enumeration subroutine by a pruning technique |42l43IH)j : 
for instance, the implementation of BKZ in NTL proposes Schnorr-Horner 
(SH) pruning 03| , which adds another input parameter p, whose impact was 
only clarified in EL- The largest GGH cryptographic challenges were 
solved [31 121 1 using an aborted BKZ of blocksize (3 = 60 and SH factor 
p = 14. 

One major issue is to assess the output quality of BKZ, especially since lattice al- 
gorithms tend to perform better than theoretically expected. The quality is mea- 
sured by the so-called Hermite factor, as popularized by Gama and Nguyen [[Jj. 
In practice, the Hermite factor of all lattice algorithms known is typically expo- 
nential in the dimension, namely c" where c depends on the parameters of the 
algorithm. The experiments of jS] show that in practice, the Hermite factor of 
BKZ is typically c(/3, n) n where c(f3, n) quickly converges as n grows to infinity 
for fixed f3. However, the limit values of c(/3, n) are only known for small values of 
/3 (roughly < 30), and theoretical upper bounds [911 4j on c(J3, n ) are significantly 
higher than experimental values. 


BKZ 2.0: Better Lattice Security Estimates 


All security estimates and proposed parameters (such as recent ones j28!39l23l 
and NTRU’s [E2) of lattice cryptosystems are based on benchmarks of NTL’s 
old implementation of BKZ, but the significance of these estimates is rather 
debatable. First, these benchmarks were all computed with only usage 1: NTRU 
II Mj “ never observed a noticeable improvement from the pruning procedure, so the 
pruning procedure was not called!' and used fi < 25, while |39l23j use [3 < 30. This 
means that such security estimates either assume that BKZ cannot be run with 
/3 > 30, or they extrapolate c(fi. n ) for high values of fi from low values (3 < 30. 
Second, recent progress m in enumeration shows that enumeration can now be 
performed in much higher dimension ( e.g . fi ~ 110) than previously imagined, 
but no approximate value of c(/3, n) is known for large fi > 50. And NTL’s 
implementation does not include these recent improvements, and is therefore 
suboptimal. 

Our results. We report the first extensive experiments with high-blocksize BKZ 
(0 > 40) in high dimension. This is made possible by implementing BKZ 2.0, an 
updated version of BKZ taking into account recent algorithmic improvements. 
The main modification is the incorporation of the sound pruning technique devel- 
oped by Gama, Nguyen and Regev [HJ at EUROCRYPT TO. The modifications 
significantly decrease the running time of the enumeration subroutine, without 
degrading its output quality for appropriate parameters, which allow much big- 
ger blocksizes. BKZ 2.0 outperforms NTL’s implementation of BKZ, even with 
SH pruning m, which we checked by breaking lattice records such as Darm- 
stadt’s lattice challenges m or the SVP-challenges j30| : for instance, we find the 
shortest vector in NTRU HE! ’s historical 214-dimensional lattices within 2 42 ' 62 
clock cycles, at least 70 times less computation than previously reported |25 1 

More importantly, our experiments allow us to propose an efficient simulation 
algorithm to model the execution of BKZ with (arbitrarily) high blocksize > 50, 
to guess the approximate length of the output vector and the time required: in 
particular, this algorithm provides the first ever predictions for c(/3, n) for arbi- 
trarily high values of f3 > 50. For a given target length, the simulation predicts 
what is the approximate blocksize fi required to obtain such short lattice vec- 
tors, and how many enumeration calls will be required approximately. This can 
be converted into an approximate running time, once we know a good approxi- 
mation of the cost of enumeration. And we provide such approximations for the 
best enumeration subroutines known. 

Our simulation refines the Gama-Nguyen security estimates 0 on the con- 
crete hardness of lattice problems, which did not take into account priming, 
like the security estimates of NTRU jl 911 fi| and those of j23!391 . We illus- 
trate the usefulness of our simulation by revising security estimates. For in- 
stance, our simulation suggests that the smallest NTRUSign parameter set, 
which was claimed to provide at least 93-bit security against key-recovery lattice 
attacks, actually offers at most 65-bit security. And we use our simulation to pro- 
vide the first concrete security assessment of the fully-homomorphic encryption 
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challenges HH recently proposed by Gentry and Halevi. It seems that none of 
these challenges offers a very high security level, except the largest one, which 
seems to offer at most a 100-bit security level. 

Roadmap. We start in Sect. 0 with background and notation on lattices. In 
Sect. El we recall the BKZ algorithm. In Sect. 0 we present BKZ 2.0 by de- 
scribing our modifications to BKZ. In Sect. 0 we briefly report on new lattice 
records obtained. We present in Sect. 0 a simulation algorithm to predict the 
performances of BKZ 2.0 with (arbitrarily) high blocksize, which we apply to 
revise security estimates in Sect. 0 More information can be found in the full 
version. 

2 Preliminaries 

We use row representations of matrices (to match lattice software), and use bold 
fonts to denote vectors: if B = (bi, . . . , b„) is a matrix, its row vectors are the 
b,'s. The Euclidean norm of a vector v E M m is ||v||. We denote by Ball n (J?) 
the n-dirri Euclidean ball of radius R, and by V n (R) = R n ■ r ^/ 2+1 ) its volume. 
The n-dim unit sphere is denoted by S'" -1 . Let L be an n-dirri lattice in R m . Its 
volume vol(L) is the n-dim volume of the parallelepiped generated by any basis 
of L. 

Orthogonalization. An n X m basis B = (b-| , . . . , b n ) can be written uniquely as 
B = p ■ D ■ Q where p = (pij) is n x n lower-triangular with unit diagonal, D 
is n x n positive diagonal, and Q is n x m with orthonormal row vectors. Then 
pD is a lower triangular representation of B (with respect to Q), B* = DQ = 
(b^, . . . , b* ) is the Gram-Schmidt orthogonalization of the basis, and D is the 
diagonal matrix formed by the ||b*||’s. For 1 <i < n + 1, we denote by 7 r* the 
orthogonal projection over (bi, . . . , b,;_i ) x . For 1 < j < k < n, we denote by 
the local projected block (7rj(bj), 7rj(b J+ i), . . . , 7Tj (b*,)) , and by the 
lattice spanned by ], whose dimension is k — j + 1. 

Random Lattices. There is a natural notion of random (real) lattices of given 
volume, based on Haar measures of classical groups (see [TJ). And there is a 
simple notion of random integer lattices, used in recent experiments: For any 
integer V, a random n-dim integer lattice of volume V is one chosen uniformly 
at random among the finitely many n-dim integer lattices of volume V. It was 
shown in D3 that, as V grows to infinity, the uniform distribution over integer 
lattices of volume V converges towards the distribution of random (real) lattices 
of unit volume, once the integer lattice is scaled by K 1 /". In experiments with 
random lattices, we mean an n-dim integer lattice chosen uniformly at random 
with volume a random prime number of bit-length lOn: for prime volumes, it is 
trivial to sample from the uniform distribution, using the Hermite normal form. 
A bit-length Q(n 2 ) would be preferable in theory (in order to apply the result 
°f El)) but it significantly increases running times, without affecting noticeably 
experimental results. 
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Gaussian Heuristic. Given a lattice L and a “nice” set S, the Gaussian Heuristic 
predicts that the number of points in S Pi L is w vol(5)/vol(L). In some cases, 
this heuristic can be proved Q or refuted m 

Shortest vector. A shortest vector of L has norm Ai (L) = min vSi r, iV ^o ||v||, the 
first minimum of L. If the Gaussian heuristic was true for any ball S, we would 
expect Ai(L) « GH(L) where GH(L) = vol(L) 1 /” ■ V n (l)- 1/n . Minkowski’s 
theorem shows that Ai (L) < 2 GH(L) for any lattice L. For random real lattices, 
Ai (L) is asymptotically equivalent to GH(L ) with overwhelming probability 
(see P). 

Reduced bases. We recall a few classical reductions. A basis B = (bi, . . . , b„) is: 

— size-reduced if its Gram-Schmidt matrix fj, satisfies /qj <1/2 for 1 < j < 
i < n. 

— LLL-reduced E2 with factor e such that 0 < e < 1 if it is size-reduced and its 
Gram-Schmidt orthogonalization satisfies l|b* + i + /ii+i,ib*|| 2 > (1— e)||b*|| 2 
for 1 < i < n. If we omit the factor e, we mean the factor e = 0.01, which is 
the usual choice in practice. 

— BKZ-reduced |H] with blocksize 0 > 2 and factor e such that 0 < e < 1 if 
it is LLL-reduced with factor e and for each 1 < 3 < n: ||b*|| = \i(Ly tk] ) 
where k = min^' + (3 — 1, n). 

One is usually interested in minimizing the Hermite factor |b-i ||/vol(L) 1//n ( se e 
0), which is completely determined by the sequence ||b*||, . . . , ||b* ||. This is 
because the Hermite factor dictates the performance of the algorithm at solving 
the most useful lattice problems: see 0 for approx-SVP and unique-SVP, and 
j28l. , 19l2.‘ll| for SIS and LWE. It turns out that the Gram-Schmidt coefficients of 
bases produced by the main reduction algorithms (such as LLL or BKZ) have 
a certain “typical shape” )!)l.'14j . provided that the input basis is sufficiently 
randomized. To give an idea, the shape is roughly such that ||b*||/||b* +1 || « q 
where q depends on the reduction algorithm, except for the first indexes i. This 
means that the Hermite factor will typically be of the form c" where c « ^/q. 

3 The Blockwise Korkine-Zolotarev (BKZ) Algorithm 

3.1 Description 

The Blockwise-Korkine- Zolotarev (BKZ) algorithm outputs a BKZ-reduced 
basis with blocksize (3 > 2 and reduction factor e > 0, from an input basis 
B = (bi, . . . ,b„) of a lattice L. It starts by LLL-reducing the basis B, then 
iteratively reduces each local block B^ tmin ^j +I g-i, n )] for j = 1 to n, to make sure 
that the first vector of each such block is the shortest in the projected lattice. 
This gives rise to Algorithm P which proceeds in such a way that each block 
is already LLL-reduced before being enumerated: there is an index j, initially 
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set to 1. At each iteration, BKZ performs an enumeration of the local projected 
lattice where k = minff + f3 — l.n) to find v = (ui, . . . , v n ) 6 Z" such that 
! % EL || = ^i(-^b',fe])- We let h = min(fc + 1 , n) be the ending index of 
the new block in the next iteration: 

- If ||bt|| > then b new = J2i=j * * * v J°i is inserted between b 3 _i and b j. 

This means that we no longer have a basis, so LLL is called on the generating 
set (bi, . . . . bj_ i , b new , b J; . . . ,b^), to give rise to a new LLL-reduced basis 
(bij • ■ • ) bh). 

— Otherwise, LLL is called on the truncated basis (bi, . . . , b/j). 

Thus, at the end of each iteration, the basis B = (bi,...,b n ) is such that 
(bi, . . . ,b/j) is LLL-reduced. When j reaches n, it is reset to 1, unless no enu- 
meration was successful, in which case the algorithm terminates: the goal of z 
in Alg. □ is to count the number of consecutive failed enumerations, to check 
termination. 


Algorithm 1. The Block Korkin-Zolotarev (BKZ) algorithm 
Input: A basis B = (bi, . . . , b„), a blocksize /3 € {2, , n}, the Gram-Schmidt tri- 
angular matrix p and ||bj || 2 , . . . , ||b£J| 2 . 

Output: The basis (bi, . . . , b„) is BKZ-/3 reduced 

1. z *— 0; j <— 0; LLL(bi, . . . , b n , p);// LLL-reduce the basis, and update p 

2. while z < n — 1 do 

3- j <— O’ mod (n — 1)J + 1; k <— minO + /3 — 1, n); h <— min(fc + 1, n); // define 
the local block 

4. v ^Enu m (py, fc] ,||b*|| 2 ,...,||b^|| 2 ); // find w ** {v,,.. . ,v h ) eZ H+1 -0 s.t 

5. if v / (1, 0, ... , 0) then 

6. z *— 0; LLL(bi, . . . , Yli=j ^ibi, bj, . . . ,bh, p) at stage j-, //insert the new vec- 
tor in the lattice at the start of the current block, then remove the dependency 
in the current block, update p. 

7. else 

8. z *— z + 1; LLL(bi, . . . , b h, p) at stage h — 1; // LLL-reduce the next block 
before enumeration. 

9. end if 

10. end while 


3.2 Enumeration Subroutine 

BKZ requires a subroutine to find a shortest vector in a local projected lattice 

L\j,k] : given as input two integers j and k such that 1 < j < k < n, output 

v = (vj,...,Vk) e Z k ~ j+1 such that ||‘7r 7 > (X)t= 3 -«<bi)|( = A^L^fcj). In prac- 
tice, as well as in the BKZ article m, this is implemented by enumeration. 
One sets R = |b* || as an initial upper bound of Ai Enumeration goes 

through the enumeration tree formed by ’’half’ of the vectors in the local pro- 
jected lattices L[ fc _ l fc ], . . . , L^] °f norm at most R. The tree has depth 
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k — j + 1, and for each d £ {Q, ... .k — j + 1}, the nodes at depth d are 0 and 
all 7rfe_<j + i(u) g L[ k _ d+l k ] where u = J2i=j u J°i wi th 3 < V < k, u k > > 0 and 
||7Tfe_d + i(u)|| < R. The parent of a node u g L[ k _ d+ 1>fc ] at depth d is -K k + 2 -d{u) 
at depth d — 1. Child nodes are ordered by increasing Euclidean norm. The 
Schnorr-Euchner algorithm m performs a Depth First Search of the tree to 
output a nonzero leaf of minimal norm, with the following modification: ev- 
erytime a new (nonzero) leaf is found, one updates the enumeration radius R 
as the norm of the leaf. The more reduced the basis is, the less nodes in the 
tree, and the cheaper the enumeration. The running time of the enumeration 
algorithm is N polynomial-time operations where N is the total number of tree 
nodes. If the algorithm did not update R, Hanrot and Stehle ESI noticed that 
the number of nodes at depth d could be estimated from the Gaussian heuristic 
as: 


H d (R) 


1 V d (R) 

2‘nt fe -d + il|b*|| 


1 R d Vd( 1 ) 

2 'nL^miibf!i 


(i) 


Gama et al. EH showed that this heuristic estimate is experimentally very ac- 
curate, at least for sufficiently large k — j + 1 and typical reduced bases. We 
can therefore heuristically bound the number of nodes at depth d in the actual 
Schnorr-Euchner algorithm (with update of R) by setting R = M(L[j,k]) and 
R = ||b*|| in Eq. ( 0 ). It is shown in 03 that for typical reduced bases, H d (R) 
is maximal around the middle depth d « (k — j) / 2 , and the remaining H d (R)'s 
are significantly smaller. 


3.3 Analysis 

No good upper bound on the complexity of BKZ is known. The best upper bound 
known for the number of calls (to the enumeration subroutine) is exponential 
(see mi). In practice (see |0|), BKZ with ,3 = 20 is very practical, but the running 
time significantly increases for 3 > 25, making any fi > 40 too expensive for high- 
dimensional lattices. In practice, the quality of bases output by BKZ is better 
than the best theoretical worst-case bounds: according to 0, the Hermite factor 
for high-dimensional lattices is typically c(f3,n) n where c(/3, n) seems to quickly 
converge as n grows to infinity, whereas theoretical upper bounds are c!{[i) n with 
c'(/3) significantly larger than c(/3, n) . For instance, c(20,n) « 1.0128 for large 
n. Furthermore, m recently showed that if one aborts BKZ after a suitable 
polynomial number of calls, one can obtain theoretical upper bounds which are 
only slightly worse than c'(/3) n . 


4 BKZ 2.0 

When the blocksize is sufficiently high, namely > 30, it is known 0 that the 
overall running time of BKZ is dominated by the enumeration subroutine, which 
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finds a shortest vector in the m-dimensional local projected lattice Ly t k], using 
a radius R initially set to |b*||, where 1 < j < k < n and m = k — j + 1. 

In this section, we describe BKZ 2.0, an updated version of BKZ with four 
improvements, which we implemented by modifying NTL jS|’s implementation 
of BKZ [42] . The first improvement is simply an early-abort, which is common 
practice in cryptanalysis, and is partially supported by the recent theoretical 
result of m- we add a parameter that specifies how many iterations should be 
performed, i.e. we choose the number of oracle calls; this already provides an 
exponential speedup over BKZ, because the number of calls seems to grow ex- 
ponentially for fixed (3 > 30 according to the experiments of |Sj • The other three 
improvements aim at decreasing the running time of the enumeration subrou- 
tine: sound pruning cm, preprocessing of local bases, and shorter enumeration 
radius. Though these improvements may be considered as folklore, we stress that 
none had been incorporated in BKZ (except that a weaker form of pruning had 
been designed by Schnorr and Horner m , and implemented in NTL m), and 
that implementing them is not trivial. 


4.1 Sound Pruning 

Pruning speedups enumeration by discarding certain branches, but may not re- 
turn any vector, or maybe not the shortest one. The idea of pruned enumeration 
goes back to Schnorr and Euchner m, and was first analyzed by Schnorr and 
Horner ^3] in 1995. It was recently revisited by Gama et al. mg, who noticed 
that the analysis of m was flawed and that the pruning was not optimal. They 
showed that a well-chosen high-probability pruning leads to an asymptotical 
speedup of 2 m / 4 over full enumeration, and introduced an extreme pruning tech- 
nique which gives an asymptotical speedup of 2 m / 2 over full enumeration. We 
incorporated both pruning with non-negligible probability, and extreme priming 
using randomization. Formally, priming replaces each of the k — j + 1 inequal- 
ities ||7Tfe + i_d(u)|| < R for 1 < d < k - j + 1 by ||7Tfc+i-d(u)|| < Rd ■ R where 
0 < Ri < ■ ■ ■ < Rk-j+i = 1 are k — j + 1 real numbers defined by the prun- 
ing strategy. For any bounding function (ify, . . . , Rk~j+\), d3 consider the 
quantities N' and p BUCC defined by: 

— N' = Yld= i +1 H'd is a heuristic estimate of the total number of nodes in the 

pruned enumeration tree, where H' d = \ ^ VRl ’ ' jjk'*|| an d Vri,...,h s denotes 
the volume of CR lt ... t R d = |(a;i, . . . , xj) G VI < i < d, xf < ii? j . 

- Psucc = Psucc(Ri, • • • , Rm) = Pr i (Vi € [1, to], J2}= i ^ • Let t G 

Lj,k] be a target vector such that ||7Tj (t) || = R. If the local basis -By,*,] 
is assumed to be randomized, then p succ is the probability that 7r,(t) is a 
leaf of the pruned enumeration tree, under the (idealized) assumption that 
the distribution of the coordinates of 7ij(t), when written in the normalized 
Gram-Schmidt basis (bj/||bj||, . . . , bfy||b|.||) of the local basis B[ h k]> look 
like those of a uniformly distributed vector of norm || 7 Tj (t) || . 
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We stress that the assumption is only an idealization: in practice, when m is 
small, for a non-negligible fraction of the local blocks -By.fc], one of the vectors of 
By t k] is a shortest vector of L[j,k\> which should have had zero probability. For 
the application to BKZ, it makes sense to consider various bounding functions 
of various p succ , say ranging from 1% to 95%, but with a cost N' as small as 
possible. Based on the methodology of jH3| , we performed an automated search 
to generate such bounding functions, for blocksizes (3 ranging from 35 to 90 by 
steps of 5, and p succ ranging from 1% to 95%. 

It should be noted that BKZ calls the enumeration subroutine on lattices 
Ly k ] whose dimension m = k — j + 1 is not necessarily equal to /3. When 
j < n — (3 + 1, the dimension m of the block is equal to (3, but when j >n — (3, 
the dimension m of the block is strictly less than (3. To avoid generating bounding 
functions for every dimension, we decided in this case to interpolate the bounding 
function found for /3, and checked that interpolating does not affect much p succ . 
Finally, in order to boost p succ , we added an optional parameter u, so that 
BKZ actually performs v pruned enumerations, each starting with a different 
random basis of the same local block. This corresponds to the extreme priming 
of pTi] , 

4.2 Preprocessing of Local Blocks 

The cost of enumeration is strongly influenced by the quality of the local basis, 
especially as the blocksize increases: the more reduced the local basis, the bigger 
the volumes of the local projected lattices L[k~d+l,k]j and therefore the less nodes 
in the most populated depths of the enumeration tree. This is folklore, but since 
BKZ improves regularly the quality of the basis, one might think there is no 
need to change the local basis before enumeration. However: 

— For each enumeration, the local basis is only guaranteed to be LLL 
-reduced, even though the whole basis may be more than LLL-reduced. 

— In high blocksizes, most enumerations are successful: they find a shorter 
vector than the first block vector. This implies that a local LLL-reduction 
will be performed to get a basis from a generating set: see Line Q in Alg.QJ At 
the next iteration, the enumeration will proceed on a typical LLL-reduced 
basis, and not something likely to be better reduced. 

This suggests that for most enumerations, the local basis is only LLL-reduced, 
and nothing more, even though other local bases may be better reduced: this 
was confirmed by experiments. 

Hence, we implemented a simple speedup: ensure that the local basis is signif- 
icantly more reduced than LLL-reduced before each enumeration, but without 
spending too much time. We used a recursive aborted-BKZ preprocessing to 
the local basis before enumeration: we performed an automated search to find 
good parameters depending on f3. 
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4.3 Optimizing the Enumeration Radius 

It is folklore that the enumeration cost is also influenced by the choice of the 
initial radius R , even though this radius is updated during enumeration. Ini- 
tially, the radius is R = b*||, but if we knew before hand how short would be 
the output vector, we would choose a lower initial radius R, decreasing the enu- 
meration time. Indeed, the number of nodes at depth d of the enumeration tree 
(pruned or not) is proportional to R d . Unfortunately, not much is known (from 
a theoretical point of view) on how small should be AifL^fc]), except general 
bounds. So we performed experiments to see what was the final norm found by 
enumeration in practice: Fig. ^compares the final norm (found by enumeration) 
to GH(Ly t k]), depending on the starting index j of the local block, for one round 
of BKZ. For the lowest indices j, one sees that the final norm is significantly lower 
than GR(L[ Ji fe]), whereas for the largest indices, it is significantly larger. In the 
middle, which accounts for most of the enumerations, the ratio between the fi- 
nal norm and the Gaussian heuristic prediction is mostly within 0.95 and 1.05, 
whereas the ratio between the norm of the first local basis vector and GH(Ly ^) 
is typically slightly below 1.1. We therefore used the following optimization: for 
all indexes j except the last 30 ones, we let R = imn(^GH(L^ k ^), ||b*||) in- 
stead of R = ||b*||, where 7 is a radius parameter. In practice, we selected 
^/7 = \/T!T ss 1.05. 



INI 

GH(L M ) 

gh(l m ) 


Fig. 1. Comparing ||b^||, Ai (Ly^j) and GH(Ly ik ]), for each local block 


5 New Lattice Records 

Here, we briefly report on experiments using 64-bit Xeon processors to break 
some lattice records, which suggest that BKZ 2.0 is currently the best lattice 
reduction algorithm in practice. 


5.1 Darmstadt’s Lattice Challenge 

Darmstadt’s lattice challenge m started in 2008. For each dimension, the chal- 
lenge is to find a vector of norm < q in an Ajtai lattice |2j, where q depends 
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on the dimension; and try to minimize the norm. Until now, the highest chal- 
lenge solved was 725: the first solutions to all challenges in dimension 575 to 725 
were found by Gama and Nguyen in 2008, using NTL’s implementation of BKZ 
with SH pruning. Shorter solutions have been found since (see the full list m\ 
but no challenge of higher dimension had been solved. All solutions were found 
by reducing appropriate sublattices of much smaller dimension (typically around 
150-200), whose existence follows from the structure of Ajtai lattices: we followed 
the same strategy. 

BKZ 2.0 with blocksize 90 (18 pruned-enumerations at 5%) found the first 
ever solution to challenges 750, 775 and 800, and significantly shorter vectors 
in all challenges 525 to 725, using in total about 3 core-years, as summarized 
in Table [Q the first column is the dimension of the challenge, the second one 
is the dimension of the sublattice we used to find the solution, the third one 
is the best norm found by BKZ 2.0, the fourth one is the previous best norm 
found by former algorithms, the fifth one is the ratio between norms, and the 
sixth one is the Hermite factor of the reduced basis of the sublattice, which 
turns out to be slightly below 1.01 dim . The factor 1.01 dim was considered to be 
the state-of-the-art limit in 2008 by Gama and Nguyen j^j, which shows the 
improvement. 


Table 1 . New Solutions for Darmstadt’s lattice challenge |23] 


Dim(lattice) 

Dim(sublattice) 

New norm 

Previous norm 

Ratio 

Hermite factor 


230 

120.054 

Unsolved 


1.00978 23u 

775 

230 

112.539 

Unsolved 


1.00994 230 

750 

220 

95.995 

Unsolved 


1.0976 220 

725 

210 

85.726 

100.90 

0.85 

1.00978 2±u 

700 

200 

78.537 

86.02 

0.91 

1.00993 2uu 

675 

190 

72.243 

74.78 

0.97 

1.00997 lyu 

650 

190 

61.935 

66.72 

0.93 

1.00993 iyu 

625 

180 

53.953 

59.41 

0.91 

1.00987 AOU 

600 

180 

45.420 

52.01 

0.87 

1.00976 lsu 

575 

180 

39.153 

42.71 

0.92 

1.00977 lou 

550 

180 

32.481 

38.29 

0.85 

1.00955 A8U 

525 

180 

29.866 

30.74 

0.97 

1.00990 AOU 


5.2 SVP Challenges 

The SVP challenge [TQ] opened in May 2010. The lattices L are random integer 
lattices of large volume, so that Xi(L) fa GH(L) with high probability. The 
challenge is to find a nearly-shortest vector, namely a nonzero lattice vector of 
norm < 1.05 GH(L). Using BKZ 2.0 with blocksize 75, 20%-pruning, we were 
able to solve all challenges from dimension 90 to 112. 


6 Predicting BKZ 2.0 by Simulation 

We now present an efficient simulation algorithm to predict the performances of 
BKZ 2.0 with high blocksize /? > 50 in high dimension, in terms of running time 
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and output quality. Our simulation is fairly consistent with experiments using 
several core-years on 64-bit Xeon processors, on random lattices and Darmstadt’s 
lattice challenges. Accordingly, we believe that our simulation can be used to 
predict approximately what can be achieved using much larger computational 
power than used in our experiments, thereby leading to more convincing security 
estimates. 


6.1 Description 

The goal of our simulation algorithm is to predict the Gram-Schmidt sequence 
(||b*||, Umi, . . . , ||b* ||) during the execution of BKZ, more precisely at the be- 
ginning of every round: a round occurs whenever j = 0 in Step Q of Alg. 0 so 
one round of BKZ costs essentially n — 1 enumeration calls. We assume that the 
input basis is a “random” reduced basis, without special property. 

The starting point of our simulation is the intuition, based on Sect. 14..' fl that 
the first minimum of most local blocks looks like that of a random lattice of 
dimension the blocksize: this phenomenon does not hold in small blocksize < 30 
(as noted by Gama and Nguyen j^j), but it becomes more and more true as 
the blocksize increases, as shown in Fig. 0 where we see that the expectation 
and the standard deviation of seem to converge to that of a random 

lattice. Intuitively, this may be explained by a concentration phenomenon: as 



Fig. 2. Comparing f° r a non-extreme local block during BKZ-/3 reduction, with 

a random lattice of dimension j3. Expectations with and without standard deviation 
are given. 


the dimension increases, random lattices dominate in the set of lattices, so unless 
there is a strong reason why a given lattice cannot be random, we may assume 
that it behaves like a random lattice. 

Once we can predict the value of \\ (Ly^) for each focal block, we know that 
this will be the new value of ||b*|| by definition of the enumeration subroutine, 
which allows to deduce the volume of the next local block, and therefore iterate 
the process until the end of the round. This gives rise to our simulation algorithm 
(see Alg. 0). 
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Algorithm 2. Simulation of BKZ reduction 

Input: The Gram-Schmidt norms, given as ii = log(||b|||), for i — 1 . . . . ,n, 
a blocksize /3 6 {45, . . . , n}, and a number N of rounds. 

Output: A prediction for the Gram-Schmidt norms i\ = log(||b* ||), i = 1, . . . , n, after 
N rounds of BKZ reduction. 

1. for k = 1, . . . , 45 do 

2. r'k <— average log(||b| ||) of an HKZ-reduced random unit-volume 45-dim lattice 

3. end for 

4. for d = 46, . . . , /3, do c d <- log(GH(Z d )) = Iog( rw ffi 1/d ) end for 

5. for j = 1, . . . , N do 

6. 4 > true //flag to store whether !/[*,,„] has changed 

7. for k = 1 to n — 45 do 

8. d <— min(/3, n — k + 1) // Dimension of local block 

9. / <— min(fc + /?, n) //End index of local block 

10. log V <- Ef=i Zi ~ E< Ji 1 % 

11. if <f> = true then 

12. if log V/d + Cd < £k then 

13. ffc <— log V/d + c d ; 

14. <j> <— false 

15. end if 

16. else 

17. £' k <— logV/d + c d 

18. end if 

19. end for 

20. log v «- Eti ~ E”Ti 45 4 

21. for k = n — 44 to n do 

22- ffc <— lo | s v + r*,+45_ n 

23. end for 

24. £i,...,„ n 

25. end for 


We predict this first minimum Ai(Z/y y ) as follows: 

- For most indexes j, we choose G7/(L jj.;), unless |jb*|| was already better. 

— However, for the last indexes j, namely those inside the last /3-dimensional 

block £[„_ , we do something different: since this last block will be HKZ- 

reduced at the end of the round, we assume that it behaves like an HKZ- 
reduced basis of a random lattice of the same volume. Since these averages 
may be expensive to compute for large /3, we apply a simplified rule: we 
determine the last 45 Gram-Schmidt norms from the average Gram-Schmidt 
norms (computed experimentally) of an HKZ-reduced basis of a random 45- 
dim lattice of unit volume, and we compute the first /3 — 45 Gram-Schmidt 
norms using the Gaussian heuristic. But this model may not work with bases 
of special structure such as partial reductions of the NTRU Hermite normal 
form, which is why we only consider random reduced bases as input. 
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This simulation algorithms allows us to guess the approximate Hermite factor 
achieved by BKZ 2.0, given an arbitrary blocksize, as summarized in Table El 
for a given dimension n, one should run the simulation algorithm, because the 
actual blocksize also depends on the dimension. As mentioned in Sect. El the 

Table 2. Approximate required blocksize for high-dimensional BKZ, as predicted by 
the simulation 

| Target Hermite Factor 1 1.01" 1 1.009" 1 1.008“ 1 1.007” 1 1.006" 1 1.005" | 

[Approximate Blocksize | 85 | 106 | 133 | 168 | 216 | 286 j 


Hermite factor dictates the performances at solving lattice problems relevant to 
cryptography: see (Oj for approx-SVP and unique-SVP, and |28l.‘SDI23j for SIS 
and LWE. Obviously, we can only hope for an approximation, since there are 
well-known variations in the Hermite factor when the input basis is randomized. 

The simulation algorithm also gives us an approximate running time, using the 
number of rounds, provided that we know the cost of the enumeration subroutine: 
we will discuss these points more precisely later on. 


6.2 Consistency with Experiments 

It turns out that our simulation matches well with experiments using random 
lattices and Darmstadt’s lattice challenges. First, the prediction of the Gram- 
Schmidt sequence (||b*||, ||b2 1| , • ■ ■ , ||b* ||) by our simulation algorithm is fairly 
accurate for random reduced bases, as shown in Fig. E3 This implies that our 
simulation algorithm can give a good prediction of the Hermite factor of BKZ at 
any given number of rounds, which is confirmed by Fig. 01 Furthermore, Fig. 0| 
suggests that a polynomial number of calls seems sufficient to obtain a Hermite 
factor not very far from that of a full reduction: the main progress seems to 
occur in the early rounds of BKZ, which justifies the use of aborted-BKZ, which 
complements the theoretical results of M- 


i 



Fig. 3. Predicted vs. actual values of Gram-Schmidt norms during BKZ-50 reduction 
of a 200-dim random lattice 
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Fig. 4. Evolution and prediction of (||bi ||/vol(L) 1/,n ) 1,/r ‘ during BKZ-90 reduction in 
dim 180 for Darmstadt’s lattice challenges 500-625 

6.3 Enumeration Subroutine 

It remains to estimate the cost of the enumeration subroutine, with a radius 
equal to the Gaussian heuristic. First, we computed upper bounds, by applying 
extreme pruning on bases reduced with BKZ 2.0, following the search method 
of jTQj: Table 0 gives the approximate cost (in terms of logarithmic number of 
nodes) of extreme pruning for blocksizes 100-250, using BKZ-75-20% as pre- 
processing, and radius equal to the Gaussian heuristic. Numbers of nodes can 


Table 3. Upper bound on the cost of the enumeration subroutine, using extreme 
pruning with aborted-BKZ preprocessing. Cost is given as log 2 (number of nodes). 


be approximately converted into clock cycles as follows: in the implementation 
of [10!, one node requires about 200 clock cycles for double-precision enumera- 
tion, but this figure depends on the dimension, and for high blocksize, we may 
need higher precision than double precision. For instance, Table El says that ap- 
plying extreme pruning in blocksize 120 would cost at most approximately 2 53 
nodes, which is less than 30 core-years on a 1.86-GHz Xeon, assuming double 
precision. This is useful to determine parameters for feasible attacks. However, 
these upper bounds should not be considered as tight: the performances of enu- 
meration techniques depend on preprocessing, and it is likely that better figures 
(than Table El can be obtained with better preprocessing, including BKZ 2.0 
with different parameters. In fact, Table El also provides a better upper bound, 
based on our simulation of BKZ with higher blocksizes 90-120 as a preprocess- 
ing. In order to provide security estimates with a good security margin, we need 
to estimate how much progress can be made. Interestingly, there are limits to 
enumeration techniques. Nguyen ESI established a lower bound on the number 
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of nodes at each depth of the enumeration tree, assuming that the Gaussian 
heuristic estimates well the number of nodes (as is usual in analyzing the com- 
plexity of enumeration techniques). The lower bounds are based on the Rankin 
invariants 7 n ,m(L) of a lattice: 


dim S = m 


ln,m{L) = 


S sublattice of L 


( vol (S) 

Vvol {L)m/n 


In particular, shows that the number of nodes in the middle depth 
of a full enumeration of a d-dim lattice L with radius GH(L) is > V d / 2 (1) 
■\Z'Yd,d/2(L)/Vd(l). For typical lattices L, the Rankin invariant 7 n ,m(L) is heuris- 
tically close to the following lower bound on Rankin’s constant 7„, m (see 0 ): 


n?=n-, 


1 m 


nr = 2 m 


(2) 


where Z(j) = £ and £ is Riemann’s zeta function: ((j) = P~ J ■ 
These lower bounds are for full enumeration, but they can be adapted to pruning 
by taking into account the actual speedup of pruning (as analyzed in HDD, which 
is asymptotically 2"/ 4 for high-probability pruning and 2"/ 2 for extreme pruning. 
Table 0 gives the figures obtained with respectively the actual speedup of the 
so-called linear pruning, and the asymptotical speedup 2"/ 2 of extreme pruning. 
Compared to the upper bounds of Table [3 there is a significant gap: the lower 


Table 4. Lower bounds on the cost (in log-nodes) of the enumeration subroutine using 
linear pruning or extreme pruning, following |4:-il 1 1 )| 


bound of linear pruning tells us how much progress could be made if a stronger 
preprocessing was found for enumeration. 

Finally, we note that asymptotically, heuristic variants |dbi;k)l45j of sieve al- 
gorithms 0 are faster than pruned enumeration. However, it is unclear how 
meaningful it is for security estimates, since these variants require exponential 
space and are outperformed in practice. And more experiments than 
would be required to evaluate precisely their practical running time. But our 
model can easily adapt to new progress in the enumeration subroutine, due to 
Table 0 

7 Revising Security Estimates 

Here, we illustrate how our simulation algorithm can be used to obtain arguably 
better security estimates than previously known. 
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7.1 NTRU Lattices 

In the NTRU cryptosystem (E|, recovering the secret key from the public key 
amounts to finding a shortest vector in high-dimensional lattices of special struc- 
ture. Because NTRU security estimates are based on benchmarks with BKZ, it 
is interesting to see the limits of this methodology. 

In the original article [El, the smallest parameter set NTRU-107 corresponds 
to lattices of dimension 214, and it was estimated that key recovery would cost 
at least 2 50 elementary operations. The best experimental result to recover the 
secret key for NTRU-107 by direct lattice reduction (without ad-hoc techniques 
like |25I26I9| which exploit the special structure of NTRU lattices) is due to 
May in 1999 1232, who reported one successful experiment using BKZ with SH 
pruning ESI , after 663 hours on a 200-MHz processor, that is 2 48,76 clock cycles. 
We performed experiments with BKZ 2.0 on 10 random NTRU-107 lattices: We 
applied LLL and BKZ- 20, which takes a few minutes at most; We applied BKZ 
-65 with 5%-pruning, and checked every 5 minutes if the first basis vector was 
the shortest vector corresponding to the secret key, in which case we aborted. 
BKZ 2.0 was successful for each lattice, and the aborted BKZ-65 reduction took 
less than 2000s on the average, on a 2.83Mhz single core. So the overall running 
time is less than 40 minutes, that is 2 42 ' 62 clock cycles, which gives a speedup of 
at least 70, compared to May’s experiment, and is significantly lower than 2 50 
elementary operations. Hence, there is an order of magnitude between the initial 
security estimate of 2 50 and the actual security level, which is approximately at 
most 40-bit. 

Now, we revisit recent parameters for NTRUSign. In the recent article by 
Hoffstein et al. m, a summary of the latest parameters for NTRU encryption 
and signature is given. In particular, the smallest parameter for NTRUsign is 
(N,q) = (157,256), which is claimed to provide 80-bit security against all at- 
tacks knowns, and 93-bit security against key-recovery lattice attacks. Similarly 
to 0 , we estimate that finding the secret key is essentially as hard as recovering 
a vector of norm < q in a lattice of dimension 2N = 314 and volume q N , which 
corresponds to a Hermite factor of 1.00886 2JV . We ran our simulation algorithm 
for these parameters to guess how many rounds would be required, depending 
on the blocksize, starting from a BKZ-20 reduced basis (whose cost is negligible 
here): about six rounds of BKZ-110 should be sufficient to break NTRUSign- 
157, which corresponds to roughly 2 11 enumerations. And according to Table [3 
extreme pruning enumeration in blocksize 110 can be done by searching through 
at most 2 47 nodes, which corresponds to roughly 2 54 clock cycles on a typical 
processor. This suggests that the security level of the smallest NTRUSign pa- 
rameter against state-of-the-art lattice attacks is at most 65-bit, rather than 
93-bit, which is a significant gap. 


7.2 Gentry-Halevi’s Fully-Homomorphic Encryption Challenges 

We now turn to Gentry-Halevi’s main Fully-Homomorphic Encryption Chal- 
lenges EH, for which no concrete security estimate was given. Decrypting a 
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ciphertext amounts to solve a BDD instance, which can be done up to the dis- 
tance min* |b,||*/2 using Babai’s nearest plane algorithm. Targetting a given 
value of minj ||bf ||* can be transformed into a target Hermite factor in the dual 
lattice. This allows us to estimate the required Hermite factor to solve the BDD 
instance, based on the approximate distance of the BDD instance and the lattice 
volume, which is summarized in Table 0 


Table 5. Security Assessment of Gentry-Halevi’s main challenges m 



Accordingly, we speculate that decryption for the toy, small and medium 
challenge can be solved by LLL reduction, which is not straightforward due to 
the lattice dimension and the gigantic bit-size of the basis (note that there is 
new theoretical progress 123 on LLL-reduction for large entries). We checked 
that this was indeed the case for the toy challenge, by performing an actual 
reduction using a modification of fplll 0. For the small and medium challenges, 
we extrapolated running times from truncated challenges, using the fact that our 
modification of fplll has heuristic running time 0(n 3 d 2 ) where d is the bit-size of 
the lattice volume, where the O constant depends on the floating-point precision 
(which increases with the dimension). According to our simulation, breaking the 
large challenge would require a blocksize « 130 and approximately 60000 rounds 
(starting from an LLL basis), that is, 2 31 enumeration calls. Based on Table 0 
this enumeration routine would cost at most 2 60 nodes, so the security offered 
by the large challenge is at most roughly 100-bit. On the other hand, if ever 
a stronger preprocessing for enumeration is found, Table 0 suggests that the 
security level could potentially drop by a factor in the range 2 10 — 2 40 . 

Acknowledgements. Part of this work is supported by the Commission of the 
European Communities through the ICT program under contract ICT-2007- 
216676 ECRYPT II. 
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Abstract. We propose a lattice-based functional encryption scheme for inner 
product predicates whose security follows from the difficulty of the learning with 
errors (LWE) problem. This construction allows us to achieve applications such 
as range and subset queries, polynomial evaluation, and CNF/DNF formulas on 
encrypted data. Our scheme supports inner products over small fields, in contrast 
to earlier works based on bilinear maps. 

Our construction is the first functional encryption scheme based on lattice 
techniques that goes beyond basic identity-based encryption. The main technique 
in our scheme is a novel twist to the identity-based encryption scheme of Agrawal, 
Boneh and Boyen (Eurocrypt 2010). Our scheme is weakly attribute hiding in the 
standard model. 

Keywords: Functional encryption, predicate encryption, lattices, learning with 


1 Introduction 

Traditional public-key encryption is “coarse,” in the sense that any user in the system 
can decrypt only messages encrypted with that user’s public key. In a line of research 
beginning with the work of Sahai and Waters E2, a number of researchers have 
asked how to make encryption more fine-grained. The result is the notion of functional 
encryption ifita . in which secret keys allow users to learn functions of encrypted 
data. Two important examples of functional encryption are attribute-based encryption 
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(ABE) 19911271 and predicate encryption (PE) E1I2I1- In (key-policy) ABE and PE 
systems, each ciphertext c is associated with an attribute a and each secret key s is 
associated with a predicate /. A user holding the key s can decrypt c if and only 
if f(a) = 1. The difference between the two types of systems is in the amount 
of information revealed: an ABE system reveals the attribute associated with each 
ciphertext, while a PE system keeps the attribute hidden. (Formal definitions of these 
properties appear in Sectional) 

This hiding requirement has made predicate encryption systems much more difficult 
to construct than attribute-based encryption systems: while there exist ABE schemes 
that allow any access formula over attributes EEl, the most expressive PE scheme 
is that of Katz, Sahai, and Waters 1291 - who construct a PE scheme for inner product 
predicates. In such a scheme, attributes a and predicates / are expressed as vectors 
v a and Wf respectively, and we say f(a) = 1 if and only if (v a ,Wf) = 0. Despite 
this apparently restrictive structure, inner product predicates can support conjunction, 
subset and range queries on encrypted data m as well as disjunctions, polynomial 
evaluation, and CNF and DNF formulas 1291 . 

All known constructions of attribute-based encryption 129112711 1 (fc 1 1D51I261I351I21I9?)1 
1231191 and predicate encryption 1T21 PH 1311 H71 1291 13^ 13(1 1921 Pill 1971 make use of groups 
with bilinear maps, and the security of these schemes is based on many different, and 
often complex, assumptions. In particular, there is at present no known construction of 
predicate encryption for inner products based on a “standard” assumption in bilinear 
groups]] As an example of a “nonstandard” assumption used in previous constructions, 
Katz, Sahai, and Waters present an assumption 1291 Assumption 1] where the challenge 
consists of ten elements chosen in a specified way from a group whose order is the 
product of three large primes p, q, r, and the problem is to determine whether one of 
these elements has an order-g component. While assumptions such as this one can often 
be shown to hold in a suitable “generic group model” (e.g., 1291 Appendix A]), to obtain 
more confidence in security we would like to build ABE and PE schemes based on 
computational problems whose complexity is better understood. 

Our Contribution. In this work we construct a lattice-based predicate encryption 
scheme for inner product predicates whose security follows from the difficulty of 
the learning with errors (LWE) problem. The LWE problem, in turn, is at least as 
hard as approximating the standard lattice problems GapSVP and SI VP in the worst 
case 12211971 and is also conjectured to be difficult even for quantum adversaries. 
Our construction is the first functional encryption scheme based on lattice techniques 
that goes beyond basic identity-based encryption (which can be viewed as predicate 
encryption that tests equality on strings). Our construction is capable of instantiating 
all of the applications of predicate encryption proposed by Boneh and Waters o and 
Katz, Sahai, and Waters (210 While our construction does not satisfy the strong notion 
of privacy defined by Katz, Sahai, and Waters 1291 . it does satisfy the slightly weaker 
notion considered by Okamoto and Takashima 19911931 and Lewko et al. 03- 


1 Okamoto and Takashima 1231 claim a PE construction from the decision linear assumption, 
but their paper only indicates how this is achieved for ABE. 

2 A detailed discussion of these applications can be found in the full version of this paper (21 §5]. 
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1.1 Overview of the Construction 

Our Approach. Just as functional encryption in bilinear groups builds on the ideas and 
techniques introduced in constructions of identity-based encryption (IBE) in bilinear 
groups ircroarararaiEa . our construction builds on the ideas and techniques used 
to achieve identity-based encryption from the LWE assumption E302H3EI- However, 
there is a key difference between lattice IBE constructions (without random oracles) 
and bilinear-group constructions that makes this kind of generalization more difficult in 
the lattice setting. Namely, in the bilinear-group IBE constructions the groups remain 
fixed, while the ciphertexts and keys are manipulated so that group elements “cancel 
out” when a ciphertext matches a key. In the lattice IBE constructions, each key and 
ciphertext is constructed using a different lattice, and decryption only works when the 
key lattice and ciphertext lattice match. This structure does not easily generalize to the 
functional encryption setting, where each key may match many ciphertexts and each 
ciphertext may match many keys. 

We solve this “lattice matching” problem using a new algebraic technique that builds 
on the IBE scheme of Agrawal, Boneh, and Boyen 0- In our construction, we generate 
keys using a lattice A / that depends only on the predicate /, and we generate ciphertexts 
c using a lattice A a that depends only on the attribute a. Given a ciphertext c generated 
in this way and predicate /, we apply a suitable linear transformation that moves c into 
the lattice Af if and only if f(a) = 1. Once this transformation is applied, we can 
decrypt using a key associated with Af. 

The details of our scheme and security proof are in Section 0 To prove security, 
we use a simulation technique that draws on ideas introduced in 0. In particular, 
we construct our simulation using a “punctured” trapdoor that allows the simulator to 
generate secret keys for any predicate / such that f(a) = 0, where a is the “challenge” 
attribute. In the simulation we can use an LWE challenge to construct a ciphertext that 
either decrypts correctly or decrypts to a random message. While this technique suffices 
to prove that the system hides the message contents (“payload hiding”), it only allows us 
to prove a weak form of anonymity (“attribute hiding”). Specifically, given a ciphertext 
c and a number of keys that do not decrypt c, the user cannot determine the attribute 
associated with c. In the strong form of attribute hiding, the user cannot determine the 
attribute associated with c even when given keys that do decrypt c. (Formal definitions 
of these concepts appear in Sectional) The weakened form of attribute hiding we do 
achieve is nonetheless more than is required for ABE and should be sufficient for many 
applications of PE. 

Key Technical Ideas. Our encryption scheme is at its core based on the LWE scheme 
of Gentry, Peikert, and Vaikuntanathan G3§7], which is itself a “dual” of the original 
Regev LWE scheme OH §5]- From a geometric perspective, the public key in the GPV 
scheme describes a lattice A used to construct ciphertexts, and the secret key is derived 
from the dual lattice A- 1 . Existing constructions of lattice-based IBE in the standard 
model 0ED1E10 use the GPV encryption scheme but replace the fixed lattice A with 
a lattice Aid that depends on the user’s identity id. Decryption only works when the 
ciphertext lattice Aid and secret key lattice Aid' are duals of each other, and there are 
several methods of ensuring that this is the case if and only if id = id 7 . 
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In trying to adapt these constructions to the predicate encryption setting, we run 
into the problem that each ciphertext can be decrypted by many secret keys and each 
secret key can decrypt many ciphertexts. Thus we cannot require that key lattices match 
ciphertext lattices in the same way as above. 

Before explaining our solution to this problem, let us recall the IBE scheme of 
Agrawal, Boneh, and Boyen Q. In the ABB IBE scheme, the encryption lattice is 
constructed as 

Au = Aq{ A 0 || A 1 + if(id)B), 

where A 0 , Ai,B are n x m matrices over Z g and TT(id) is a “full-rank difference” 
hash function. One can generate secret keys for A^ using a short basis of A^(Ao) 
and the basis extension technique of 0E3- In the (selective-)security proof, the LWE 
challenge is embedded as the matrix A 0 , and the matrix Ai + TT(id)B is equipped with 
a “punctured” trapdoor that allows the simulator to respond to secret key queries for all 
identities id not equal to the challenge identity id*. 

The algebraic structure of the ABB IBE scheme gives us the tools we need to 
solve the “lattice matching” problem described above. Specifically, in our predicate 
encryption scheme we encode an attribute vector w = (wi ,we) G ll q as the n x tm 
matrix 

B^ := (u;iB|| • • • ||u^B). 

where B G Z” xm is a uniformly random matrix chosen by the encryptor. We generate 
the ciphertext as a GPV encryption relative to the matrix 

Aa := 4r(A 0 ||Ai + u*B|| ■ ■ • ||A, + u*B) 

where the A* are all n x m matrices. We view the ciphertext component that is close to 
Am as a tuple (co, ■ ■ . , ci) G 

Since the recipient of a ciphertext does not know a priori which lattice was used 
to encrypt (indeed, this is exactly the anonymity property of predicate encryption), we 
cannot expect the recipient to possess a secret key derived from the dual of the ciphertext 
lattice as in the IBE case. Instead, we derive the key for a predicate vector v from 
the dual of a certain lattice A# and apply a linear transformation TV that moves the 
ciphertext into A$ exactly when (v, w) =0. If this linear transformation is “short” (in 
the sense of not increasing the length of vectors too much), then a GPV secret key 
derived from A can decrypt the ciphertext TV(c). 

Concretely, this transformation works as follows. For a predicate vector v = 
(m, . . . ,vi) G Z e q , we define the linear transformation TV : (Z" l ) £+1 — > Z q m by 

TV(c 0 , . . . , Ci) » (c 0 , £i=i ViCi). 

Some algebraic manipulation (detailed in Section shows that applying this transfor- 
mation to a ciphertext encrypted using Am is equivalent to computing a GPV ciphertext 
using the lattice 

t 


A^m := 4 j ( a 0 || ViAi + (v, iu ) b ) , 
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Letting the secret key for ube the GPV secret key associated to (An || JA =1 v i^i) 
allows the holder of a key for predicate v to decrypt a ciphertext associated with attribute 
w exactly when (v, w) = 0. In this aspect our construction is inspired by that of Katz, 
Sahai, and Waters 11291 : the matrix B corresponds to the “masking terms” in a KSW 
ciphertext that “cancel out” exactly when ( v , w) = 0. 

The reader may have observed that in the above formulation, the requirement that 
the transformation T$ be “short” implies that we cannot use all vectors « e Zj as 
predicates, but only ones whose entries have small absolute value (when viewed as 
integers in (—q/2, q/ 2]). In Section0|we will show that decomposing the vector v into 
its binary representation enables our construction to use arbitrary vectors in at the 
expense of expanding the ciphertext by a factor of lg q. 

2 Predicate Encryption 

We use the definition of predicate encryption proposed by Katz, Sahai, and Waters 112 91 . 
which is based on the definition of searchable encryption proposed by Boneh and 
Waters o. We will let n denote the security parameter throughout this paper. 

Definition 2.1 ( li291 Definition 2.1]). A (key-policy) predicate encryption scheme for 
the class of predicates T over the set of attributes S consists of four probabilistic 
polynomial-time algorithms Setup, KeyGen, Enc, Dec such that: 

- Setup takes as input a security parameter n and outputs a set of public parameters 
PP and a master secret key M K. 

- KeyGen takes as input the master secret key MK and a (description of a) predicate 
/ £ T. It outputs a key sky. 

- Enc takes as input the public parameters PP, an attribute I £ S, and a message M 
in some associated message space M.. It returns a ciphertext C. 

- Dec takes as input a secret key sk y and a ciphertext C. It outputs either a message 
M or the distinguished symbol _L. 

For correctness, we require that for all n, all (PP, MK) generated by Setup(l"), all 
f £ T, any key sky *— KeyGen(MK, /), all I £ E, and any ciphertext C «— 
Enc(PP ,I,M): 

- If /(/) = 1, then Dec(sky, C) = M. 

- If /(/) = 0, then Dec(sky, C) = _L with all but negligible probability. 

In a ciphertext-policy scheme keys are associated with attributes and ciphertexts are 
associated with predicates; the syntax is otherwise the same. 

Our construction in Section 0 satisfies a different correctness condition: If /(/) = 1 
and C = Enc(PP,7, M), then Dec(sky,(7) = M, but if /(/) = 0 then Dec(sky,(7) 
is computationally indistinguishable from a uniformly random element in the message 
space M. . However, if A4 is exponentially large then we can easily transform our system 
into one satisfying Definition l2. ll bv restricting the message space to some subset M! C 
M with \M'\/\M\ = negl(n). 
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2.1 Security 

There are several notions of security for predicate encryption schemes. The most basic is 
payload hiding, which guarantees that no efficient adversary can obtain any information 
about the encrypted message, but allows information about attributes to be revealed. 
A stronger notion is attribute hiding, which guarantees in addition that no efficient 
adversary can obtain any information about the attribute associated with a ciphertext. 
Following Lewko et al. E3 Definition 17], we also define an intermediate notion, weak 
attribute hiding, which makes the same guarantee only in the case that the adversary 
cannot decrypt the ciphertext. Our definition of security is “selective,” in the sense that 
the adversary must commit to its challenge attributes before seeing any secret keys. 

Definition 2.2 ( lE9t Definition 2.2]). A predicate encryption scheme with respect to 
T and E is attribute hiding if for all probabilistic polynomial-time adversaries A, the 
advantage of A in the following experiment is negligible in the security parameter n: 

1. A(l n ) outputs I 0 ,h e E. 

2. Setup(l") is run to generate PP and MK, and the adversary is given PP. 

3. A may adaptively request keys for any predicates fi,- ft G T subject to the 
restriction that fi(Io) = fi(h ) for all i. In response, A is given the corresponding 
keyssk/ 4 <— KeyGen(MK, /;). 

4. A outputs two equal-length messages Mo, Mi. If there is an i for which fi(Io) = 
fi(I i) = 1, then it is required that Mo = Mi. A random bit b is chosen, and A is 
given the ciphertext C *— Enc(PP, 4, M b ). 

5. The adversary may continue to request keys for additional predicates, subject to the 
same restrictions as before. 

6. A outputs a bit b', and succeeds if b' = b. The advantage of A is the absolute value 
of the difference between its success probability and 1/2. 

We say the scheme is weakly attribute hiding if the same condition holds for 
adversaries A that are only allowed to request keys for predicates /, with fi(Io) = 
fi(I i) = 0. We say the scheme is payload hiding if we require 4 = h- 

We observe that any scheme that is attribute hiding is weakly attribute hiding, and any 
scheme that is weakly attribute hiding is payload hiding. (In the payload hiding game no 
adversary can achieve nonzero advantage when requesting a key for a predicate / with 
/(io ) = f{h) = 1, so we may assume without loss of generality that the adversary 
does not request such a key.) 

Remark 2.3. In our construction the spaces T of predicates and E of attributes depend 
on the public parameters PP output by Setup. We thus modify the security game so as 
to give the adversary descriptions of T and E before Step Q] and run the remainder of 
the game (including any remaining steps in the Setup algorithm) as described. 

3 Lattice Preliminaries 

In this section we collect the results from the literature that we will need for our 
construction and the proof of security. 
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Notation. For any integer q > 2, we let Z q denote the ring of integers modulo q and 
we represent Z g as integers in (— g/2,g/2], We let Z” xm denote the set of n x rri 
matrices with entries in 1 q . We use bold capital letters (e.g. A) to denote matrices, 
bold lowercase letters (e.g. x) to denote vectors that are components of our encryption 
scheme, and arrows (e.g. v) to denote vectors that represent attributes or predicates. The 
notation A T denotes the transpose of the matrix A. When we say a matrix defined over 
has full rank, we mean that it has full rank modulo each prime factor of q. The 
notation |_af| denotes the nearest integer to x, rounding towards 0 for half-integers. 

3.1 Lattices 

An m-dimensional lattice A is a full-rank discrete subgroup of R m . A basis of /lisa 
linearly independent set of vectors whose span is A. We will usually be concerned with 
integer lattices, i.e., those whose points have coordinates in Z m . Among these lattices 
are the “g-ary” lattices defined as follows: for any integer q > 2 and any A G Z” xm , 
we define 

A^-(A) := {e G Z m : A • e = 0 mod g} 

2l“(A) := {e G Z m : A • e = u mod g}. 

The lattice A“(A) is a coset of A q (A); namely, A“(A) = A q (A) + t for any t such 
that A ■ t = u mod g. 

The Gram-Schmidt norm of a basis. Let S = {si, . . . , s^} be a set of vectors in K m . 
We use the following standard notation: 

- ||S|| denotes the length of the longest vector in S, i.e., maxi<j<fc |s,;||. 

- S := {s i ..... S/c} C R m denotes the Gram-Schmidt orthogonalization of the 
vectors si, . . . ,8*. 

We refer to ||S|| as the Gram-Schmidt norm of S. 

Ajtai 0 and later Alwen and Peikert m showed how to sample an almost uniform 
matrix A G Z q Xm along with a basis S of A q (A) with low Gram-Schmidt norm. 

Theorem 3.1 ( m Theorem 3.2] with S = 1/3). Let q,n,m be positive integers 
with q > 2 and m > 6nlgg. There is a probabilistic polynomial-time algorithm 
TrapGen(g, n, m) that with overwhelming probability (in n) outputs a pair (A G 
Z q xrn , S G Z mxm ) such that A is statistically close to uniform in Z/ Xm and S is 
a basis for yl/-(A) satisfying 

||S|| < 0(y/n\ogq) and ||S|| < 0(n log g). 

Gaussian Distributions. Let L be a discrete subset of Z". For any vector c G R n 
and any positive parameter a G ®>o, let Prr.c(x) := exp (— 7r||x — c|| 2 /cr 2 ) be the 
Gaussian function on M n with center c and parameter a. Let p a , c (L) := po-, c (x) 

be the discrete integral of p a . c over L (which always converges), and let Vj jac be the 
discrete Gaussian distribution over L with center c and parameter a. Specifically, for 
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all y e L, we have c(y) = p <T ' C< '(r] ■ F° r n °tational convenience, p a _o and V^.a.o 
are abbreviated as p a and respectively. 

The following lemma gives a bound on the length of vectors sampled from a discrete 
Gaussian. The result follows from 03 Lemma 4.4], using Ell Lemma 5.3] to bound 
the smoothing parameter. 

Lemma 3.2. Let A be an n-dimensional lattice, let T be a basis for A, and suppose 
a > ||T|| ■ u(y/\ogn ). Then for any c G R" we have 

Pr [||x - c 1 1 > oyfn : x T> A , a , c ] < negl(n) 


3.2 Sampling Algorithms 

We will use the following algorithms to sample short vectors from specific lattices. 
Looking ahead, the algorithm SampleLeft Eim will be used to sample keys in the 
real system, while the algorithm SampleRight Q will be used to sample keys in the 
simulation. 

Algorithm SampleLeft(A,B,TA,u,er): 

Inputs: a full rank matrix A in Z” xm , a “short” basis Ta of A^ (A), a 
matrix B in Z^ xmi , a vector u G Z”, and a Gaussian parameter o. (3-1) 

Output: Let F := (A || B). The algorithm outputs a vector e G Z m+mi in 
the coset A“(F). 

Theorem 3.3 ( [3, Theorem 17], EDI Lemma 3.2]). Let q > 2, m > n and o > 

|T A || ■w( v /log('m + mi)). Then SampleLeft(A, B, Ta, u, o) taking inputs as in 11. /i l 
outputs a vector e G Z' m+mi distributed statistically close to where F := 

(A || B). 

Algorithm SampleRight(A, B, R, T B , u, o): 

Inputs: matrices A in Z” xfc and R in Z fexm , a full rank matrix B in Z” xm , 
a “short” basis T B of 4^(B), a vector u e Z”, and a Gaussian parameter (3-2) 

Output: LetF := (A || AR+B). The algorithm outputs a vector e G Z m+fc 
in the coset A" (F). 

Often the matrix R given to the algorithm as input will be a random matrix in 
{1, — l} mxm . Let S m be the m-sphere {x 6 R m+1 : ||x|| = 1}. We define s R := ||R|| 
:= sup xeS m-i||R • x||. 

Theorem 3.4 ( fl, Theorem 19]). Let q > 2,m > n and o > ||T B || ■ s R ■ uj(y/\ogm). 
Then SampleRight(A, B, R, T B , u, o) taking inputs as in ( 13.21) outputs a vector e G 
Z m+fc distributed statistically close to where F := (A || AR + B). 
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3.3 The LWE Problem 

The learning with errors problem, or LWE, is the problem of determining a secret vector 
over TL q given an arbitrary number of “noisy” inner products. The decision variant is to 
distinguish such samples from random. More formally, we define the (average-case) 
problem as follows: 

Definition 3.5 ( ( 29 ). Let n > 1 and q > 2 be integers, and let y be a probability 
distribution on Z q . For s £ Z”, let A sx be the probability distribution on Z" x Z q 
obtained by choosing a vector afZJ uniformly at random, choosing e 6 Z 9 according 
to x, and outputting (a, (a, s) + e). 

(a) The search-\\NE (hn x problem is: for uniformly random s £ Z", given a poly(n) 
number of samples from A sx , output s. 

(b) The decision - LW E q _ n . x problem is: for uniformly random sfZJ, given a poly(n) 
number of samples that are either (all) from A s x or (all) uniformly random in 
Zj x Z g , output 0 if the former holds and 1 if the latter holds. 

We say the decision-LWE 9i „ iX problem is infeasible if for all polynomial-time algo- 
rithms A, the probability that A solves the decision-LWE problem (over s and yl’s 
random coins) is negligibly close to 1/2 as a function of n. 

The power of the LWE problem comes from the fact that for certain noise distribu- 
tions x. solving the search-LWE problem is as hard as finding approximate solutions to 
the shortest independent vectors problem (SI VP) and the decision version of the shortest 
vector problem (GapSVP) in the worst case. For polynomial size q there is a quantum 
reduction due to Regev, while for exponential size q there is a classical reduction due 
to Peikert. Furthermore, the search and decision versions of the problem are equivalent 
whenever q is a product of small primes. These results are summarized in the following: 
Definition 3.6. For a £ (0,1) and an integer q > 2, let \P a denote the probability 
distribution over Z q obtained by choosing x £ R according to the normal distribution 
with mean 0 and standard deviation a/s/ 2n and outputting \_qx ] . 

Theorem 3.7 ( OM l. Let n, q be integers and a £ (0, 1) such that q = poly(n) and 
aq > 2 y/n. If there exists an efficient (possibly quantum) algorithm that solves decision- 
LWEg n -p a , then there exists an efficient quantum algorithm that approximates SIVP 
and GapSVP to within Ofn/a) in the worst case. 

Theorem 3.8 ( £ 0 ). Let n,q be integers and a £ (0,1), and q = Hi 9* — 2"/ 2 , 
where the qi are distinct primes satisfying uj(s/\ogn) /a < qt < poly (n). If there exists 
an efficient (classical) algorithm that solves decision-lSNE q n , then there exists an 
efficient (classical) algorithm that approximates GapSVP to within 0(n/a ) in the worst 

The following lemma will be used to show correctness of decryption. 

Lemma 3.9 ( Q Lemma 12]). Let e be some vector in Z m and let y <— . Then the 

quantity \ (e, y) | when treated as an integer in (—q/2, q/2] satisfies 

l(e,y)| < ||e||ga- w(Vlogm) + ||e||v^n/2 

with overwhelming probability (in m). 
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4 A Functional Encryption Scheme for Inner Product Predicates 

In our system, each secret key will be associated with a predicate vector v £ Z^ (for 
some fixed l > 2 ) and each ciphertext will be associated with an attribute vector w £ lJ q . 
Decryption should succeed if and only if (v,w) = 0 (mod q). Hence the predicate 
associated with the secret key is defined as fv(w) = 1 if (v,w) = 0 (mod q), and 
fv(w) = 0 otherwise. 

4.1 The Construction 

Let n £ Z+ be a security parameter and l be the dimension of predicate and attribute 
vectors. Let q = q(n, £) and m = m{n, £) be positive integers. Let a = a(n. 1) and 
a = a{n,i) be positive real Gaussian parameters. Define k = k(n, I) := |_lg q \ . 
The encryption scheme described below encrypts a single bit; we show how to encrypt 
multiple bits in the full version of this paper 0 §4.5]. 

LinFE.Setup(l" , 1^): On input a security parameter n and a parameter i denoting the 
dimension of predicate and attribute vectors, do: 

1. Use the algorithm TrapGen (q,n,m) (from Theorem 13. Ill to select a matrix 
A G Zg Xm together with a full-rank set of vectors Ta C yl^fA) such that 
||Ta|| < vn ■ u)(y/\ogrn). 

2. Choose £ ■ (1 + k) uniformly random matrices A ir/ £ Z” xm for i = !....,£ 
and 7 = 0 , . . . , k. 

3. Select a uniformly random vector u€ZJ, 

Output PP = (A, {A ii7 } ie{li . u) and MK = T A . 

LinFE.KeyGen(PP, MK, v): On input public parameters PP, a master secret key MK, 
and a predicate vector v = (ui, . . . , «|) £ Z(j, do: 

1 . For * = 1 let fij be the integer in [0 , q — 1] congruent to iq mod q. Write 

the binary decomposition of v t as 


k 

% = Vi n ■ 2 7 , (4.1) 

7=0 

where Uj i7 are in (0, 1}. 

2. Define the matrices 

c.»EE%v, ezr m . 

7 =0 

A, := [A || C,] 6 Z^ x2m . 

3. Using the master secret key MK= (T A , a), compute e •*— SampleLeft(A, Cy. 
T a ,u ,a). 

Then e is a vector in Z 2m satisfying A j • e = u mod q. 

Output the secret key sk,- = e. 
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LinFE.Enc(PP, w, M): On input public parameters PP, an attribute vector w, and a 
message M £ {0, 1}, do: 

1. Choose a uniformly random matrix B ^ Z” xm . 

2. Choose a uniformly random s Z”. 

3. Choose a noise vector x <— and a noise term x <— \H a . 

4. Compute Co <— A T s +x £ Z™. 

5. For i = 1, . . . ,£ and 7 = 0, . . . , k, do the following: 

(a) Pick a random matrix Rj i7 £ {— l,l} mxm . 

(b) Compute c* i7 <— (A i)7 + 2 7 w i B) T s + RT 7 x £ Z™. 

6. Compute d u T s + x + M ■ [q/ 2] £ Z q . 

Output the ciphertext CT := (co, {c*, 7 }*e{i,...^}, 7 e{o,...,fc}) £■)■ 

LinFE.Dec(PP , sk^, CT) : On input public parameters PP, a secret key sk# for 

predicate vector v, and a ciphertext CT = (co, {c », 7 } igji > d), do: 

1 . Define the binary expansion of the vector v as in (14. II) and compute 



2. Letc := [c 0 |c^]. 

3. Compute z «— d — e T c (mod q). 

Output 0 if | z\ < q/A (when interpreted as in integer in (—q/2. q/2]) and 1 
otherwise. 

For consistency with prior work, we choose the noise in Step0of Enc from the rounded 
continuous Gaussian 'JT, . It was pointed out to us by a referee that one can instead use 
the discrete Gaussian T>x aq and obtain a system with the same security guarantee (up to 
a factor of \/2); this result follows from J2HI Lemma 2], using the work of Peikert urn 

4.2 Correctness 

We now show that for certain parameter choices, if a bit M is encrypted to the attribute 
vector w, the secret key s.„ corresponds to a predicate vector v, and (v, w) = 0 (mod q) , 
then the LinFE.Dec algorithm recovers M. 

Lemma 4.1. Suppose the parameters q and a are such that 

q/ lg q = f2 (o ■ £■ m 3 / 2 ^ and a < ^log q - a ■ l - m- uty/log 

Let e <— KeyGen(PP, MK, v), CT <- Enc(PP, w, M), and M <— Dec(PP,e, CT). If 
(v, w) = 0 (mod q), then with overwhelming probability we have M' = M. 

Proof. During the first step of LinFE.Dec we compute c,j, which is by definition: 

l k 


c f = EE^ c <.r 
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This can be expanded as 

l k 


—EE «i i7 [(A ij7 + 2 T WiB) T s + RJ )7 x] 


= EE'sA 


E E B ' s + E E 


(*.i 3> (mod?) 

If (F, w) = 0 (mod g), then the middle term of (14.211 disappears, leaving 


c« = A 47 J s + u i,7 R I, 7 x ( mod «) • 

In the second step of LinFE.Dec we have: 

c = [c 0 |c*] = |a|| ^ ^w i)7 A ij7 | s + |x| X] Wi '7 R I,7 X | (mod q) 

= A^ • s + x ^ ^ ig i7 R J 7 x (mod q ) 

L I i=l 7=0 J 

In the third step of Li n F E . Dec we multiply c with the key e . Recall that by Theorem l.3.31 
we have A# • e = u (mod q). It follows that 

e T c = u T s + e T |x | ^ ^ w i)7 R J 7 x| (mod q) . 


Finally, we compute: 


z = d — e T c (mod q) 

= (u T s + x + M ■ [q/2]) — u T s — e T Jx| ^ ^ tg i7 R J 7 xJ (mod q) 
= M ■ [q/2] + (x — e T |x| ^2 ^ w i,7 R I,7 X | ) (mod q) 


To obtain M 
probability, 


M, it suffices to set the parameters so that with overwhelming 

e k 


~ eT [ x | Y1 X/ w <.7 R i,7 x ] | < «/ 4 - 
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Writing e = [ei |e2] with e 7 ; G Z m allows us to rewrite this “noise” term as 
x — ^ei + ^ ^ Uj i7 Rj )7 e2^ x. 

By Theorem co and Lemma E2 we have ||e|| < cr\/2rn with overwhelming 
probability. By 0 Lemma 15], we have 1 1 R 7 ; i 7 -62 1 1 < 12>/2m- ||e2 1| with overwhelming 
probability. Since u* j7 G {0, 1} it follows that 

ei + ££ fl ‘. 7 R <. 7 ea|| < (l + 12 • l ■ (1 + k) • >/2m) • <ry/2m = 0 {£ • k • a- m). 

It now follows from Lemma lT^l that the error term (14.211 has absolute value at most 

(qa ■ u(y / log m) + s/m/ 2^ • O (£ ■ a ■ m ■ lg q) . (4.4) 

(Recall that k = [lg q\ ■) For the quantity (14.41) to have absolute value less than q/ 4, it 
suffices to choose q and a as in the statement of the Lemma. □ 

4.3 Security 

We use the simulation technique of Agrawal, Boneh, and Boyen 0 to reduce the 
security of our system to the hardness of the decision-LWE problem. 

Theorem 4.2. Suppose m > 6n log q. If the decision-L\NE q o problem is infeasible, 
then the predicate encryption scheme described above is weakly attribute hiding. 

To prove the theorem we define a series of three games against an adversary A that plays 
the weak attribute hiding game (subject to the modification described in Remark ITU . 
The adversary A outputs two attribute vectors wo and w\ at the beginning of each 
game, and at some point outputs two messages Mo and Mi. Each game comes in two 
variants, reflecting the choice of attribute/message pair used to create the challenge 
ciphertext. The first game corresponds to the real security game. In the other two games 
we use “alternative” setup, key generation, and encryption algorithms Sim. Setup, 
Sim.KeyGen, and Sim.Enc. The algorithm Sim. Setup takes as additional input an 
attribute vector w*, and Sim.Enc takes as additional input the master key output by 
Sim. Setup. Recall that during the course of the game the adversary can only request 
keys for predicate vectors v such that (v, wq) f 0 and (v,wi) f 0. 

Gameoj,: For b £ {0, 1}, the challenger runs the LinFE. Setup algorithm, answers the 
adversary’s secret key queries using the LinFE. KeyGen algorithm, and generates 
the challenge ciphertext using the LinFE. Enc algorithm with attribute u>b and 
message Mb. 
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Gamei j,\ For b € {0, 1}, the challenger runs the Sim. Setup algorithm with w* = Wb 
and answers the adversary’s secret key queries using the Sim.KeyGen algorithm. 
The challenger generates the challenge ciphertext using the Sim.Enc algorithm 
with attribute Wb and message Mb. 

Game2,f>: This game is the same as Gamei. b, except the challenger generates the 
challenge ciphertext by choosing a uniformly random element of the ciphertext 
space. 

We now define the alternative setup, key generation, and encryption algorithms. 

Sim.Setup(l”, l/, w*): On input a security parameter n, a parameter £ denoting the 

dimension of predicate and attribute vectors, and an attribute vector w* 6 Z^, do the 

following: 

1 . Choose a random matrix A Z™ xm and a random vector ZJ. 

2. Use TrapGen (q,n,m) to generate a matrix B* e Z ” x m along with a basis Tb* 

3. For i = and 7 = 0, . . . , k, pick random matrices Rf ^ {—1, l} mXTO 

and set 

A i>7 <- AR* 7 - 2' y w* B*. 

Output the public parameters and master key 

pp =( A >{ A i. 7 }ie{i,...,<}, 76 { 0 ,...,fc},u), MK = (w ,{R*, 7 }i e{1 „.„< } , ie{ o,...,t},B‘,T B *) 


Sim.KeyGen(PP, MK, v): On input public parameters PP, a master key MK, and a 
vector v € do the following: 

1. If (v, w*) = 0, output _L. 

2. Define the binary decomposition of Vi as in (14.11) . 

3. Define the matrices 

C* :=EE ^,7 A i,7 £ Z? Xm , A ir == [ A II C*] 6 Z“. 

i = 1 7=0 

Observe that 

(*>,■£•) (mod q) 

4. Lete <— SampleRight^A, -(v,w*)B*, u > a ) e 

z 2m 


Output the secret key sk^ = e. 
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Sim.Enc(PP, w, M, MK): This algorithm is the same as the LinFE.Enc algorithm, 
except: 

1 . In Step 1 , matrix B* £ M K is used instead of a random matrix B . 

2. In Step 5a, the matrices R* 7 £ MK for are used instead of random matrices R, 7 
for i = 1, . . . ,£ and 7 = 0, . . . , k. 

To prove security of our system, we show that the two games in each of the 
pairs (Gameo,6, Gamei^), (Gameyb, Game2,&) and (Game2,o, Game2,i) are either 
statistically or computationally indistinguishable (under the decision-LWE assumption) 
from the point of view of the adversary. Theorem POI then follows from a simple hybrid 
argument; details are in the full version of this paper Q. 

Lemma 4.3. For a given b £ {0,1}, the view of the adversary A in Gameo.h is 
statistically close to the view of A in Gamei^. 

The proof of Lemma FOl can be found in the full version of this paper 0]. 

Lemma 4.4. For a given b £ {0, 1}, if the decision-lSNE assumption holds, then the 
view of the adversary A in Gamei j, is computationally indistinguishable from the view 
of A in Game2,&. 

Proof. Suppose we are given to + 1 LWE challenges (a, , yf £ Z” x for j = 
0, . . . , to, where either yj = (a, , s) + Xj for some (fixed) random secret s Z” and 
Gaussian noise Xj <— \b a , or yj is uniformly random in Z q (and this choice is the same 
for each challenge). We define the following variables: 



(4.5) 


c 0 := (2/1, • • - , y m ) ez; d :=yo + M b - |_§] 


We simulate the challenger as follows: 

- Setup: Run Sim. Setup with w* = Wb, and let A and u be as in (14.51 . 

- Private key queries: Run the Sim.KeyGen algorithm. 

- Challenge ciphertext: For i = 1 , and 7 = Q, ... ,k, let Cj )7 = R* 7 t co 
( using R* 7 £ MK). Output (c 0 , {c i , 7 } ie {i i ...^ }i7e{0 ,...,fc}, c 7 )- 

Now observe that for i = 1 , . . .,£ and 7 = 0, . . . , k, the Sim.Enc algorithm sets 

c ii7 = (AR i)7 - 2' y w* i B* + 2'X*B*) t s + R* 7 T x = R* 7 T (A T s + x). 

It follows that if ijj = (a, , s) + x 3 , then Cj )7 = R* 7 T c 0 and the simulator described 
above is identical to the challenger in Gamei, 

On the other hand, if yj is random in Z q , then the simulated ciphertext is 
(co, R* c 0 , d), where R* is the concatenation of the matrices R} j7 - By the standard 
leftover hash lemma (e.g. HU Theorem 8.37]), the quantities AR* and R* cq are 
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independent uniformly random samples. Thus in this case the ciphertext is uniformly 
random and the simulator described above is identical the challenger in Game 2 ,&. 

We conclude that any efficient adversary that can distinguish Game^f, from Gamea^ 
can solve the decision-LWE problem. □ 

Lemma 4.5. The view of the adversary A in Game 2 ,o is statistically indistinguishable 
from the view of A in Game 2 ,i. 

Proof. Note that the only place where w* appears in Game 2,6 is in the public parameter 
A hl := AR* 7 - 2 7 w*B*. Let A G Zg Xmi(k+1) and R* G z™ xmi(fe+1) be the 
concatenations of the A lr/ and the R* 7 , respectively. Then we have A = AR*. By Q 
Lemma 13] the pair (A, AR ) is statistically indistinguishable from (A, C) where C 
is uniformly random. Since for any fixed value of X and uniformly random C, the 
variable C — X is also uniformly random, it follows that the distributions of A 77 in the 
two games are statistically indistinguishable. 

4.4 Parameter Selection 

We can extract from the above description the parameters required for correctness and 
security of the system. For correctness of decryption, by Lemma lPl we require 

q / lg q = fl (o ■ i ■ to 3 / 2 j and a < ^log q- o ■ to • w\/log rnj .(4.6) 

In our security theorem (Theorem l4.2l) . we require m > 6n lg q in order for the output of 
TrapGen to be statistically random. The additional constraints imposed by our security 
reduction are the following: 

- From the description of LinFE. Setup and LinFE.KeyGen, we have ||Ta|| = 

0(y/n log q) (by Theorem mil and e *— (by Theorem ITU , subject 

to the requirement that 

* > IITaII ■ = O(yAU^) • o;(Vbg^)- 

- From the description of Sim. Setup and Sim.KeyGen, we have ||T B *|| = 
0(y/n log q) (by Theorem [T~T1 . and e <— T , a u ( A„),a (by Theorem 13.41 . subject 
to the requirement that 


<r>||TB-||-s*-w(Vtog^) (4.7) 

Since R is a sum of t ■ (lg q + 1) random matrices with {1,-1} entries, it follows 
from 0 Lemma 15] that s R = sup^iyf^} ||Rx|| = 0(1 ■ (lg q + 1) • y/m) with 
overwhelming probability. Plugging this value into (14. 71 . we see that it suffices to 
choose 
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Thus to satisfy the more stringent of the above two conditions (i.e., the latter), we set 
a = u(m ■ £ ■ log q ■ -y/iogro) , (4.8) 

using the fact (noted above) that m > 6n log q. 

In order to reduce decision- LWE to approximating worst-case lattice problems to 
within poly(n) factors we have two options: for polynomial-size q we can use Regev’s 
quantum reduction (Theorem 13.7ft with qa > 2 y/n and a > 1/ poly (n) , while for 
exponential-size q we can use Peikert’s classical reduction Theorem 13.8ft with each 
prime factor q-, of q satisfying uj(^\og n)/ a < qi < poly(n). (Note that a large value 
of q may be required for certain applications; see the full version of this paper 0 §5] 
for details.) 

The following selection of parameters satisfies all of these constraints. For a given £, 
pick a small constant S > 0, and set 

m = \ n 1+s ] , to satisfy m > 6n lg q 

a = [n 2+2S ■ £}, to satisfy (Oil 

qi = the ith prime larger than (£\og£)' 2 ■ n 7 / 2 + 5S 
a = Q ((flog-f) 2 ■ n 3 + 55 ) 1 to satisfy (14.6ft 

Observe that the above setting of parameters satisfies the conditions for applying 
Theorems IP and IP To obtain polynomial size q we use q = qi, while to obtain 
exponential size q we use q = nl=i where r is chosen so that q > 2”/ 2 . In 
either case we can choose S large enough so that n 1+s > 6ri,\gq. In the former 
case, the security of the scheme can be based on the hardness of approximating SI VP 
and GapSVP to within a factor of 0{n/a) = d((£\og£) 2 ■ n 4+5a ) in the worst 
case (by quantum algorithms). In the latter case, security is based on the hardness of 
approximating GapSVP to within a factor of 0(n/a) = 0((£\og£) 2 ■ n 4+5<5 ) in the 
worst case (by classical algorithms). 

Note that since m > n lg q and qi > «, the matrices A and B have full rank modulo 
each prime divisor of q with overwhelming probability, as required for successful 
execution of the SampleLeft and SampleRight algorithms. 

Finally, we note that these parameter choices are not necessarily optimal, and one 
might be able to set the parameters to have somewhat smaller values while maintaining 
correctness and security. In particular, one might be able to reduce the ciphertext size by 
using the r- ary expansion of the vector v for some r > 2 instead of the binary expansion 
as described above. 

5 Conclusion and Open Questions 

We have presented a lattice-based predicate encryption scheme for inner product 
predicates whose security follows from the difficulty of the learning with errors 
problem. Our construction can instantiate applications such as range and subset queries, 
polynomial evaluation, and CNF/DNF formulas on encrypted data. (A more detailed 
discussion of these applications appears in the full version of this paper J3.) Our 
construction is the first functional encryption scheme based on lattice techniques that 
goes beyond basic identity-based encryption. 
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Many open questions still remain in this field. One direction of research is to improve 
the security of our construction. Our scheme is weakly attribute hiding in the selective 
security model, but for stronger security guarantees we would like to construct a scheme 
that is fully secure and/or fully attribute hiding. Achieving either task will require 
new simulation techniques; a natural question is whether the “dual-system” approach 
introduced by Waters lEHfl and used to prove full security of attribute-based encryption 
and predicate encryption constructions using bilinear groups 0HIEIE3 can be adapted 
to lattice-based constructions. 

Another direction of research is to improve the efficiency of our scheme. If 
q = 2°(") is exponential size, as is needed for several of our applications, then 
setting the parameters as recommended in Section PPH gives public parameters of size 
0{lnm lg 2 (g 1 )) = 0(in 5 ) and ciphertexts of size 0(£m \g 2 (q)) = which may 

be too large for practical purposes. A construction that achieved the same functionality 
with polynomial- size q would be a significant step forward. The ring-LWE problem 
introduced by Lyubashevsky, Peikert, and Regev m seems to be a natural candidate 
for such a construction. 

Finally, it is a open question to construct predicate encryption schemes (via any 
technique) that support a greater range of functionality than inner product predicates. 
Ideally we would like a system that could support any polynomial-size predicate 
on encrypted data. Now that predicate encryption has moved into the world of 
lattices, perhaps techniques used to construct fully homomorphic encryption from 
lattices CTTOlfTSi could be used to help us move towards this goal. 

Acknowledgments. The authors thank Dan Boneh, Brent Waters, Hoeteck Wee, and 
the anonymous referees for helpful discussions and comments. 
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Abstract. The interest in post-quantum cryptography — classical sys- 
tems that remain secure in the presence of a quantum adversary — has 
generated elegant proposals for new cryptosystems. Some of these sys- 
tems are set in the random oracle model and are proven secure relative 
to adversaries that have classical access to the random oracle. We argue 
that to prove post-quantum security one needs to prove security in the 
quantum-accessible random oracle model where the adversary can query 
the random oracle with quantum state. 

We begin by separating the classical and quantum-accessible ran- 
dom oracle models by presenting a scheme that is secure when the ad- 
versary is given classical access to the random oracle, but is insecure 
when the adversary can make quantum oracle queries. We then set out 
to develop generic conditions under which a classical random oracle proof 
implies security in the quantum-accessible random oracle model. We in- 
troduce the concept of a history-free reduction which is a category of clas- 
sical random oracle reductions that basically determine oracle answers 
independently of the history of previous queries, and we prove that such 
reductions imply security in the quantum model. We then show that 
certain post-quantum proposals, including ones based on lattices, can 
be proven secure using history-free reductions and are therefore post- 
quantum secure. We conclude with a rich set of open problems in this 

Keywords: Quantum, Random Oracle, Signatures, Encryption. 

1 Introduction 

The threat to existing public-key systems posed by quantum computation |ShoQ7| 
has generated considerable interest in post-quantum cryptosystems, namely sys- 
tems that remain secure in the presence of a quantum adversary. A promising 
direction is lattice-based cryptography, where the underlying problems are re- 
lated to finding short vectors in high dimensional lattices. These problems have 
so far remained immune to quantum attacks and some evidence suggests that 
they may be hard for quantum computers PEgOfl - 

As it is often the case, the most efficient constructions in lattice-based cryp- 
tography are set in the random oracle (RO) model IBRhdj . For example, Gentry, 

D.H. Lee and X. Wang (Eds.): ASIACRYPT 2011, LNCS 7073, pp. 41-[69] 2011. 
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Peikert, and Vaikuntanathan |GPV08| give elegant random oracle model con- 
structions for existentially unforgeable signatures and for identity-based encryp- 
tion. Gordon, Katz, and Vaikuntanathan |GKV1()| construct a random oracle 
model group signature scheme. Boneh and Freeman [Bh'11 j give a random or- 
acle homomorphic signature scheme and Cayrel et al. |( 'I RSI (i| give a lattice- 
based signature scheme using the Fiat-Shamir random oracle heuristic. Some of 
these lattice constructions can now be realized without random oracles, but at 



Modeling Random Oracles for Quantum Attackers. While quantum re- 
sistance is good motivation for lattice-based constructions, most random oracle 
systems to date are only proven secure relative to an adversary with classical 
access to the random oracle. In this model the adversary is given oracle access 
to a random hash function O : {0, 1}* — ► {0, 1}* and it can only “learn” a value 
O(x) by querying the oracle O at the classical state x. However, to obtain a 
concrete system, the random oracle is eventually replaced by a concrete hash 
function thereby enabling a quantum attacker to evaluate this hash function on 
quantum states. To capture this issue in the model, we allow the adversary to 
evaluate the random oracle “in superposition” , that is, the adversary can submit 
quantum states |( p) =Y^ a x\x) to the oracle O and receives back the evaluated 
state a x |0(a?)) (appropriately encoded to make the transformation unitary). 
We call this the quantum(-accessible) random oracle model. It complies with 
similar efforts from learning theory |B.I99ISG04| and computational complex- 
ity [BBBV97) where oracles are quantum-accessible, and from lower bounds for 
quantum collision finders |AS04| . Still, since we are only interested in classical 
cryptosystems, honest parties and the scheme’s algorithms can access O only 
via classical bit strings. 

Proving security in the quantum-accessible RO model is considerably harder 
than in the classical model. As a simple example, consider the case of digital 
signatures. A standard proof strategy in the classical settings is to choose ran- 
domly one of the adversary’s RO queries and embed in the response a given 
instance of a challenge problem. One then hopes that the adversary uses this re- 
sponse in his signature forgery. If the adversary makes q random oracle queries, 
then this happens with probability 1/q and since q is polynomial this success 
probability is sufficiently high for the proof of security in the classical setting. 
Unfortunately, this strategy fails completely in the quantum-accessible random 
oracle model since every random oracle query potentially evaluates the random 
oracle at exponentially many points. Therefore, embedding the challenge in one 
response will be of no use to the reduction algorithm. This simple example shows 
that proving security in the classical RO model does not necessarily prove post- 
quantum security. 

More abstractly, the following common classical proof techniques are not 
known to carry over to the quantum settings offhand: 

— Adaptive Programmability: The classical random oracle model allows a sim- 
ulator to program the answers of the random oracle for an adversary, often 
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adaptively. Since the quantum adversary can query the random oracle with 
a state in superposition, the adversary may get some information about all 
exponentially many values right at the beginning, thereby making it difficult 
to program the oracle adaptively. 

— Extractability/Preimage Awareness: Another application of the random ora- 
cle model for classical adversaries is that the simulator learns the pre-images 
the adversary is interested in. This is, for example, crucial to simulate de- 
cryption queries in the security proof for OAEP jhOPSblj . For quantum- 
accessible oracles the actual query may be hidden in a superposition of ex- 
ponentially many states, and it is unclear how to extract the right query. 

— Efficient Simulation: In the classical world, we can simulate an exponential- 
size random oracle efficiently via lazy sampling: simply pick random but 
consistent answers “on the fly”. With quantum-accessible random oracles 
the adversary can evaluate the random oracle on all inputs simultaneously, 
making it harder to apply the on-demand strategy for classical oracles. 

— Rewinding/Partial Consistency: Certain random oracle proofs |PS0()| require 
rewinding the adversary, replaying some hash values but changing at least a 
single value. Beyond the usual problems of rewinding quantum adversaries, 
we again encounter the fact that we may not be able to change hash values 
unnoticed. We note that some form of rewinding is possible for quantum 
zero-knowledge jWatODI . 

We do not claim that these problems are insurmountable. In fact, we show how 
to resolve the issue of efficient simulation by using (quantum-accessible) pseudo- 
random functions. These are pseudorandom functions where the quantum dis- 
tinguisher can submit quantum states to the pseudorandom or random oracle. 
By this technique, we can efficiently simulate the quantum-accessible random or- 
acle through the (efficient) pseudorandom function. While pseudorandom func- 
tions where the distinguisher may use quantum power but only gets classical ac- 
cess to the function can be derived from quantum-immune pseudorandom gener- 
ators jGGM86j , it is an open problem if the stronger quantum-accessible pseudo- 
random functions exist. 

Note, too, that we do not seek to solve the problems related to the random 
oracle model which appear already in the classical settings |CGH98| . Instead we 
show that for post-quantum security one should allow for quantum access to 
the random oracle in order to capture attacks that are available when the hash 
function is eventually instantiated. 

1.1 Our Contributions 

Separation. We begin with a separation between the classical and quantum- 
accessible RO models by presenting a two-party protocol which is: 

— secure in the classical random oracle model, 

— secure against quantum attackers with classical access to the random oracle 
model, but insecure under any implementation of the hash function, and 

— insecure in the quantum-accessible random oracle model. 
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The protocol itself assumes that (asymptotically) quantum computers are faster 
than classical (parallel) machines and uses the quadratic gap due to Grover’s 
algorithms and its application to collision search |BHTff&| to separate secure 
from insecure executions. 

Constructions. Next, we set out to give general conditions under which a 
classical RO proof implies security for a quantum RO. Our goal is to provide 
generic tools by which authors can simply state that their classical proof has the 
“right” structure and therefore their proof implies quantum security. We give 
two flavors of results: 

— For signatures, we define a proof structure we call a history-free reduction 
which roughly says that the reduction answers oracle queries independently 
of the history of queries. We prove that any classical proof that happens 
to be a history-free reduction implies quantum existential unforgeability for 
the signature scheme. We then show that the GPV random oracle signature 
scheme |GPV08j has a history-free reduction and is therefore secure in the 
quantum settings. 

Next, we consider signature schemes built from claw-free permutations. The 
first is the Full Domain Hash (FDH) signature system of Bellare and Rog- 
away |BR93| . for which we show that the classical proof technique due to 
Coron |( JorflOj is history-free. We also prove the quantum security of a variant 
of FDH due to Katz and Wang jKWflSj which has a tight security reduction. 
Lastly, we note that, as observed in jGPVOKj . claw-free permutations give rise 
to preimage sampleable trapdoor functions, which gives another FDH-like 
signature scheme with a tight security reduction. In all three cases the re- 
ductions in the quantum-accessible random oracle model achieve essentially 
the same tightness as their classical analogs. 

Interestingly, we do not know of a history-free reduction for the generic Full 
Domain Hash of Bellare and Rogaway |BR93| . One reason is that proofs 
for generic FDH must somehow program the random oracle, as shown in 
IFLR+101 . We leave the quantum security of generic FDH as an interest- 
ing open problem. It is worth noting that at this time the quantum secu- 
rity of FDH is somewhat theoretical since we have no candidate quantum- 
secure trapdoor permutation to instantiate the FDH scheme, though this 
may change once a candidate is proposed. 

— For encryption we prove the quantum CPA security of an encryption scheme 
due to Bellare and Rogaway fBR,93j and the quantum CCA security of a 
hybrid encryption variant of |BR93j . 

Many open problems remain in this space. For signatures, it is still open to prove 
the quantum security of signatures that result from applying the Fiat-Shamir 
heuristic to & £ identification protocol, for example, as suggested in jCLRSlQt . 
Similarly, proving security of generic FDH is still open. For CCA-secure encryp- 
tion, it is unknown if generic CPA to CCA transformations, such as |F()99| . 
are secure in the quantum settings. Similarly, it is not known if lattice-based 
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identity-based encryption systems secure in the classical RO model (e.g. as 
in j(iPV08IABB10bp are also secure in the quantum random oracle model. 

Related Work. The quantum random oracle model has been used in a few 
previous constructions. Aaronson jAarObj uses quantum random oracles to con- 
struct unclonable public-key quantum money. Brassard and Salvail jBS08j give a 
modified version of Merkle’s Puzzles, and show that any quantum attacker must 
query the random (permutation) oracle asymptotically more times than honest 
parties. Recently, a modified version was proposed that restor es some level of se- 
curity even in the presence of a quantum adversary |BHK + 1 lj . Quantum random 
oracles have also been used to prove impossibility results for quantum compu- 
tation. For example, Bennett et al. fBBBV97| show that relative to a random 
oracle, a quantum computer cannot solve all of NP. 

Some progress toward identifying sufficient conditions under which classical 
protocols are also quantum immune has been made by Unruh jl Jnrl ()j and Hall- 
gren et al. |HSS111 . These results show that, if a cryptographic protocol can 
be shown to be (computationally jHSSllj resp. statistically |lJnrl()p secure in 
Canetti’s universal composition (UC) framework jtJanOlj against classical ad- 
versaries, then the protocol is also resistant against (computationally bounded 
resp. unbounded) quantum adversaries. This, however, means that the underly- 
ing protocol must already provide strong security guarantees in the first place, 
namely, universal composition security, which is typically more than the afore- 
mentioned schemes in the literature satisfy. This also applies to similar results 
by Hallgren et al. |HSS1 1| for so-called simulation-based security notions for the 
starting protocol. Furthermore, all these results do not seem to be applicable 
immediately to the random oracle model where the quantum adversary now has 
quantum access to the random function (but where the ideal functionality for the 
random oracle in the UC framework would have only been defined for classical 
access according to the classical protocol specification) , and where the question 
of instantiation is an integral step which needs to be considered. 

2 Preliminaries 

A non-negative function e = e(n) is negligible if, for all polynomials p(n) we have 
that e(n) < p(n) _1 for all sufficiently large n. The variational distance between 
two distributions D i and D 2 over Cl is given by 

\D 1 -D 2 \=Y / \Pv[x\D l ]-Pv[x\D 2 \\. 

xeo 

If the distance between two output distributions is e, the difference in probability 
of the output satisfying a certain property is at most e. 

A classical randomized algorithm A can be thought of in two ways. In the first, 
A is given an input x, A makes some coin tosses during its computation, and 
ultimately outputs some value y. We denote this action by A(x) where A(x) is a 
random variable. Alternatively, we can give A both its input x and randomness r 
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in which case we denote this action as A(x; r). For a classical algorithm, A(x: r) 
is deterministic. An algorithm A runs is probabilistic polynomial-time (PPT) if 
it runs in polynomial time in the security parameter (which we often omit from 
the input for sake of simplicity). 

2.1 Quantum Computation 

We briefly give some background on quantum computation and refer to jNcnoj 
for a more complete discussion. A quantum system A is associated to a (finite- 
dimensional) complex Hilbert space Ha with an inner product (•!■). The state 
of the system is described by a vector | ip) £ Ha such that the Euclidean norm 
|| | ip) || = y/ {<p\ip) is 1. Given quantum systems A and B over spaces Ha and 
Hb, respectively, we define the joint or composite quantum system through the 
tensor product Ha 0 Hb- The product state of \^a) € Ha and \<Pb) € Hb 
is denoted by \ipjf) ® \ ips) or simply \<Pa) \'-Pn)- An n-qubit system lives in the 
joint quantum system of n two-dimensional Hilbert spaces. The standard or- 
thonormal computational basis \x) for such a system is given by |a;i) 0 ■ ■ ■ 0 |ir„) 
for x = x\ . . . x n . Any (classical) bit string x is encoded into a quantum state 
as | a;). An arbitrary pure n-qubit state \<p) can be expressed in the computa- 
tional basis as \ip) = £ x£ {o,i}” a x |^) where a x are complex amphtudes obeying 


£* e{0 ,ip>*l 2 = i- 


Transformations. Evolutions of quantum systems are described by unitary trans- 
formations with I4 being the identity transformation on register A. Given a joint 
quantum system over Ha ®Hb and a transformation Ua acting only on Ha, it 
is understood that Ua \<Pa) \tb) refers to ( Ua 0 Is) \<pa) Wb)- 

Information can be extracted from a quantum state | tp) by performing a 
positive-operator valued measurement (POVM) M = {Mi} with positive semi- 
definite measurement operators Mi that sum to the identity JT Af* = I- Out- 
come i is obtained with probability pi = (tp\ Mi\ip). A special case are projective 
measurements such as the measurement in the computational basis of the state 
\<p) = ° x \ x ) which yields outcome x with probability |a x | 2 . We can also do a 
partial measurement on some of the qubits. The probability of the partial mea- 
surement resulting in a string x is the same as if we measured the whole state, and 
ignored the rest of the qubits. In this case, the resulting state will be the same as 
\4>), except that all the strings inconsistent with x are removed. This new state 
will not have a norm of 1, so the actual superposition is obtained by dividing by 
the norm. For example, if we measure the first n bits of <p) = Y, x , y a x, y \ x , y), 
we will obtain the measurement x with probability Y y ' \ a x, y '\‘ 2 , and in this case 
the resulting state will be 
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Following |BBC+98j . we model a quantum attacker Aq with access to (pos- 
sibly identical) oracles 0 i, 02 ,--- by a sequence of unitary transformations 

Ot-i,Ut over k = poly(n) qubits. Here, oracle O; : {0,1}” — » {0,l} m maps 
the first n + m qubits from basis state \x) \ y) to basis state \x) \y ® Oi(x)) for 
x G {0, 1}” and y G {0, l} m . If we require the access to O; to be classical instead 
of quantum, the first n bits of the state are measured before applying the uni- 
tary transformation corresponding to O t . Notice that any quantum-accessible 
oracle can also be used as a classical oracle. Note that the algorithm Aq may 
also receive some input | ip). Given an algorithm Aq as above, with access to 
oracles O t , we sometimes write Ag* 1 B )) . I ; j nc [j ca ^ e that the oracle is 
quantum-accessible (contrary to oracles which can only process classical bits) . 

To introduce asymptotics we assume that Aq is actually a sequence of such 
transformation sequences, indexed by parameter n, and that each transformation 
sequence is composed out of quantum systems for input, output, oracle calls, and 
work space (of sufficiently many qubits). To measure polynomial running time, 
we assume that each Ui is approximated (to sufficient precision) by members 
of a set of universal gates (say, Hadamard, phase, CNOT and 7 t/ 8; for sake of 
concreteness jJNICOOj 'l. where at most polynomially many gates are used. Fur- 
thermore, T = Tin) is assumed to be polynomial, too. Note that T also bounds 
the number of oracle queries. 

We define the Euclidean distance ||<^>) + \ip) between two states as the value 

(Ex \at x -Px\ 2 ) 5 where \4>) = Ex^k) and IV’) = Ex Ad 21 )- 

Define q r {\<t>t)) to be the magnitude squared of r in the superposition of query 
t. We call this the query probability of r in query t. If we stun over all t, we get 
the total query probability of r. 

We will be using the following lemmas: 

Lemma 1 (EEEYH2 Theorem 3.1). Let \ip) and \ip) be quantum states with 
Euclidean distance at most e. Then, performing the same measurement on \ ip) 
and \ip) yields distributions with statistical distance at most 4e. 

Lemma 2 (EEEVM1 Theorem 3.3). Let Aq be a quantum algorithm run- 
ning in time T with oracle access to O. Let e > 0 and let S C [1, T] x {0, 1}" be 
a set of time-string pairs such that E(t,r)eS QV-d^t)) < e- If we modify O into an 
oracle O' which answers each query r at time t by providing the same string R 
(which has been independently sampled at random), then the Euclidean distance 
between the final states of Aq when invoking O and O' is at most y/Te. 

2.2 Quantum-Accessible Random Oracles 

In the classical random oracle model [R iT'K'il all algorithms used in the system are 
given access to the same random oracle. In the proof of security, the reduction 
algorithm answers the adversary’s queries with consistent random answers. 

In the quantum settings, a quantum attacker issues a random oracle query 
which is itself a superposition of exponentially many states. The reduction al- 
gorithm must evaluate the random oracle at all points in the superposition. To 
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ensure that random oracle queries are answered consistently across queries, it 
is convenient to assume that quantum-resistant pseudorandom functions exist, 
and to implement this auxiliary random oracle with such a PRF. 

Definition 1 (Pseudorandom Function). A quantum-accessible pseudoran- 
dom function is an efficiently computable function PRF where, for all efficient 
quantum algorithms D, 

|Pr[D PRF ( fc, ')(l”) = 1] - Pr[D°^(l") = 1] | < e 

where e = e(n) is negligible in n, and where O is a random oracle, the first 
probability is over the keys k of length n, and the second probability is over all 
random oracles and the sampling of the result of D. 

We note that, following Watrous |VVat()!)j . indistinguishability as above should 
still hold for any auxiliary quantum state a given as additional input to D (akin 
to non-uniformity for classical algorithms). We do not include such auxiliary 
information in our definition in order to simplify. 

We say that an oracle O' is computationally indistinguishable from a random 
oracle if, for all polynomial time quantum algorithms with oracle access, the 
variational distance of the output distributions when the oracle is O' and when 
the oracle is a truly random oracle O is negligible. Thus, simulating a random 
oracle with a quantum-accessible pseudorandom function is computationally in- 
distinguishable from a true random oracle. 

We remark that, instead of assuming that quantum-accessible PRFs exist, 
we can often carry out security reductions relative to a random oracle. Con- 
sider, for example, a signature scheme (in the quantum-accessible random oracle 
model) which we prove to be unforgeable for quantum adversaries, via a reduc- 
tion to the one-wayness of a trapdoor permutation against quantum inverters. 
We can then formally first claim that the scheme is unforgeable as long as in- 
verting the trapdoor permutation is infeasible even when having the additional 
power of a quantum-accessible random oracle; only in the next step we can 
then conclude that this remains true in the standard model, if we assume that 
quantum-accessible pseudorandom functions exist and let the inverter simulate 
the random oracle with such a PRF. We thus still get a potentially reasonable 
security claim even if such PRFs do not exist. This technique works whenever 
we can determine the success of the adversary (as in case of inverting a one-way 
function). 


2.3 Hard Problems for Quantum Computers 

We will use the following general notion of a hard problem. 

Definition 2 (Problem). A problem is a pair P = ( Gamep , ap) where Gamep 
specifies a game that a (possibly quantum) adversary plays with a classical chal- 
lenger. The game works as follows: 
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• On input 1", the challenger computes a value x, which it sends to the ad- 
versary as its input 

• The adversary is then run on x, and is allowed to make classical queries to 
the challenger. 

• The adversary then outputs a value y, which it sends to the challenger. 

• The challenger then looks at x, y, and the classical queries made by the 
adversary, and outputs 1 or 0. 

The value ap is a real number between 0 (inclusive) and 1 (exclusive). It may 
also be a function of n, but for this paper, we only need constant ap, specifically 
ap is always 0 or 5. 

We say that an adversary A wins the game Gamep if the challenger outputs 
1. We define the advantage AdvA.p of A in problem P as 

AdvA,p = |Pr[A wins in Gamep] — ap\ 


Definition 3 (Hard Problem). A problem P = (Gamep, ap) is hard for 
quantum computers if, for all polynomial time quantum adversaries A, AdvA,p 
is negligible. 


2.4 Cryptographic Primitives 

For this paper, we define the security of standard cryptographic primitives in 
terms of certain problems being hard fo r quantum computers. We give a brief 
sketch here and refer to the full version |BDF + 10] for supplementary details. 

A trapdoor function T is secure if Inv(.F) = (GameiNv(-A), 0) is a hard prob- 
lem for quantum computers, where in GameiNV) an adversary is given a random 
element y and public key, and succeeds if it can output an inverse for y rela- 
tive to the public key. A preimage sampleable trapdoor function, T , is secure 
if Inv(.F) as described above is hard, and if Col(.F) = (Gamecoif^ 7 ), 0) is hard 
for quantum computers, where in Gamecoi, an adversary is given a public key, 
succeeds if it can output a collision relative to that public key. A signature 
scheme S is secure if the game Sig-Forge(A) = (Gamesi g (5), 0) is hard, where 
Gamesig is the standard existential unforgeability under a chosen message at- 
tack game. Lastly, a private (resp. public) key encryption scheme £ is secure if 
Sym-CCA(£) = (Games ym (£), §) (resp. Asym-CCA(£) = (GameA sym (£), 5)), 
where Garnes ym is the standard private key CCA attack game, and GarneA sy m 
is the standard public key attack game. 

3 Separation Result 

In this section, we discuss a two-party protocol that is provably secure in the ran- 
dom oracle model against both classical and quantum adversaries with classical 


50 


D. Boneh et al. 


access to the random oracle (and when using quantum-immune primitives). We 
then use the polynomial gap between the birthday attack and a collision finder 
based on Grover’s algorithm to show that the protocol remains secure for cer- 
tain hash functions when only classical adversaries are considered, but becomes 
insecure for any hash function if quantum adversaries are allowed. Analyzing 
the protocol in the stronger quantum random oracle model, where we grant the 
adversary quantum access to the random oracle, yields the same negative result. 

Note that, due to the page limit, we discuss only the high-level idea of our 
protocol, for the full description and the formal security analysis we refer to the 
full version |BDF+10| . We start by briefly presenting the necessary definitions 
and assumptions for our construction. 

Building Blocks. For sake of simplicity, we start with a quantum-immune iden- 
tification scheme to derive our protocol; any other primitive or protocol can be 
used in a similar fashion. An identification scheme IS consists of three efficient 
algorithms (IS.KGen, V. V) where IS.KGen on input 1" returns a key pair (sk, pk). 
The joint execution of P(sk, pk) and V(pk) then defines an interactive protocol 
between the prover V and the verifier V. At the end of the protocol V outputs 
a decision bit b £ {0, 1}, indicating whether he accepts the identification of V 
or not. We say that IS is secure if an adversary after interacting with an honest 
prover V cannot impersonate V such that a verifier accepts the interaction. 

A hash function H = (H.KGen, H.Eval) is a pair of efficient algorithms such 
that H.KGen for input 1" returns a key k (which contains 1"), and H.Eval for 
input k and M £ {0, 1}* deterministically outputs a digest H.Eval(fc, M). For a 
random oracle H we use A; as a “salt” and consider the random function H(k. •). 
The hash function is called near- collision-resistant if for any efficient algorithm 
A the probability that for k <— H.KGen (l n ), some constant 1 < l < n and 
(M, M') «- A{k,£) we have M ± M’ but H.Eval(A;, M)\ e = H.Eval(A;, M')\ t , is 
negligible (as a function of n). Here we denote by x\t the leading £ bits of the 
string x. Note that for £ = n the above definition yields the standard notion of 
collision-resistance. 

Classical vs. Quantum Collision-Resistance. In the classical setting, (near-) 
collision-resistance for any hash function is upper bounded by the birthday at- 
tack. This generic attack states that for any hash function with n bits output, an 
attacker can find a collision with probability roughly 1/2 by probing 2”/ 2 distinct 
and random inputs. For (classical) random oracles this attack is optimal. 

In the quantum setting, one can gain a polynomial speed-up on the collision 
search by using Grover’s algorithm jGrobfiK frobSj . which performs a search on 
an unstructured database with N elements in time 0(\fN). Roughly, this is 
achieved by using superpositions to examine all entries “at the same time”. 
Brassard et al. |BHT98| use Grover’s algorithm to obtain an algorithm for solving 
the collision problem for a hash function H : {0, 1}* — > {0, 1}" with probability 
at least 1/2, using only 0{\/ 2”) evaluations of H. 
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Computational and Timing Assumptions. To allow reasonable statements about 
the security of our protocol we need to formalize assumptions concerning the 
computational power of the adversary and the time that elapses on quantum 
and classical computers. In particular, we assume the following: 

1 . The speed-up one can gain by using a parallel machine with many processors, 
is bounded by a fixed term. 

2. The time that is required to evaluate a hash function is independent of the 
input and the computational environment. 

3. Any computation or action that does not require the evaluation of a hash 
function, costs zero time. 

The first assumption basically resembles the fact that in the real world there is 
only a concrete and finite amount of equipment available that can contribute to 
a performance gain of a parallel system. Assumptions (2)+(3) are regarding the 
time that is needed to evaluate a hash function or to send a message between two 
parties and are merely for the sake of convenience, as one could patch the idea 
by relating the timings more rigorously. The latter assumption implicitly states 
that the computational overhead that quantum algorithms may create to obtain 
a speed-up is negligible when compared to the costs of a hash evaluation. This 
might be too optimistic in the near future, as indicated by Bernstein |Ber()fi| . 
That is, Bernstein discussed that the overall costs of a quantum computation 
can be higher than of massive parallel computation. However, as our work ad- 
dresses conceptional issues that arise when efficient quantum computers exist, 
this assumption is somewhat inherent in our scenario. 

3.1 Construction 

We now present our identification scheme between a prover V and a verifier V. 
The main idea is to augment a secure identification scheme IS by a collision- 
finding stage for some hash function H. In this first stage, the verifier checks 
if the prover is able to produce collisions on a hash function in a particular 
time. More precisely, the verifier starts for timekeeping to evaluate the hash 
function H.Eval(/c, •) on the messages (c) for c = 1,2,..., |"v / 2^j for a key k 
chosen by the verifier and where (c) stands for the binary representation of c with 
log |" x/T] bits. The prover has now to respond with a near-collision M ^ M' 
such that H.Eval(fc, M) = H. Eva I (7c, M') holds for the first i bits. One round of 
the collision-stage ends if the verifier either receives such a collision or finishes 
its \fT- hash evaluations. The verifier and the receiver then repeat such a round 
r = poly(n) times, sending a fresh key k in each round. 

Subsequently, both parties run the standard identification scheme. At the end, 
the verifier accepts if the prover was able to find enough collisions in the first 
stage or identifies correctly in the second stage. Thus, as long as the prover is not 
able to produce collisions in the required time, the protocol mainly resembles 
the IS protocol. 
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Verifier V* 

Prover V* 

pM < log(n), collCount = 0 

(sk, pk) ^IS.KGen(l n ),f 

collision stage (repeat for * = 1, 2, . . . , r): 


ki <- H.KGen(l n ) 


compute H.Eval((l)) — > 

search for f-near 

compute H.Eval((2)) 

collision on H(ki,-) 

: Mi,M' 


compute H.Eval((c)) 


stop if c > |" W] or 


H.Eval(fci,Mi)|* = H.Eval(fei,M')|r 


if collision was found set 


collCount := collCount + 1 


identification stage: 


, .. CP(sk,pk),V(pk)> 

decision bit b < 


accept if b = 1 


or collCount > r/4 



Fig. 1 . The IS*-Identification Protocol 


Completeness of the IS* protocol follows easily from the completeness of the 
underlying IS scheme. 

Security against Classical and Quantum Adversaries. To prove security of our 
protocol, we need to show that an adversary A after interacting with an honest 
prover V * , can subsequently not impersonate V* such that V* will accept the 
identification. Let £ be such that £ > 6 log (a) where a is the constant reflecting 
the bounded speed-up in parallel computing from Assumption (1). By assuming 
that IS = (IS.KGen, V, V) is a quantum-immune identification scheme, we can 
show that IS* is secure in the standard random oracle model against classical 
and quantum adversaries. 

The main idea is that for the standard random oracle model, the ability of 
finding collisions is bounded by the birthday attack. Due to the constraint of 
granting only time for the collision search and setting £ > 61og(a), even 

an adversary with quantum or parallel power is not able to make at least V 2? 
random oracle queries. Thus, A has only negligible probability to respond in 
more than 1/4 of r rounds with a collision. 
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When considering only classical adversaries, we can also securely instantiate 
the random oracle by a hash function H that provides near-collision-resistance 
close to the birthday bound. Note that this property is particularly required 
from the SHA-3 candidates |N IS()7| . 

However, for adversaries Aq with quantum power, such an instantiation is 
not possible for any hash function. This stems from the fact that Aq can locally 
evaluate a hash function on quantum states which in turns allows it to apply 
Grover’s search algorithm. Then an adversary will find a collision in time \/T 
with probability at least 1/2, and thus will be able to provide rj 4 collisions with 
noticeable probability. The same result holds in the quantum-accessible random 
oracle model, since Grover’s algorithm only requires (quantum) black-box access 
to the hash function. 

4 Signature Schemes in the Quantum-Accessible Random 
Oracle Model 

We now turn to proving security in the quantum-accessible random oracle model. 
We present general conditions for when a proof of security in the classical random 
oracle model implies security in the quantum-accessible random oracle model. 
The result in this section applies to signatures whose classical proof of security 
is a history-free reduction as defined next. Roughly speaking, history-freeness 
means that the classical proof of security simulates the random oracle and sig- 
nature oracle in a history-free fashion. That is, its responses to queries do not 
depend on responses to previous queries or the query number. We then show that 
a number of classical signature schemes have a history-free reduction thereby 
proving their security in the quantum-accessible random oracle model. 

Definition 4 (History- free Reduction). A random oracle model signature 
scheme S = ( G,S ° , V°) has a history-free reduction from a hard problem P = 
( Gamep , 0) if there is a proof of security that uses a classical PPT adversary A 
for S to construct a classical PPT algorithm B for problem P such that: 

• Algorithm B for P contains four explicit classical algorithms: START, 
RAND° C , SIGN°°, and FINISH°°. The latter three algorithms have ac- 
cess to a shared classical random oracle O c . These algorithms, except for 
RAND 0c , may also make queries to the challenger for problem P. The al- 
gorithms are used as follows: 

(1) Given an instance x for problem P as input, algorithm B first runs 
START(x) to obtain (pk, z) where pk is a signature public key and z is 
private state to be used by B. Algorithm B sends pk to A and plays the 
role of challenger to A. 

(2) When A makes a classical random oracle query to 0(r), algorithm B re- 
sponds with RAND° C (r, z) . Note that RAND is given the current query 
as input, but is unaware of previous queries and responses. 

(3) When A makes a classical signature query S(sk,m), algorithm B re- 
sponds with SIGN°° (m, z ) . 
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(4) When A outputs a signature forgery candidate ( m,a ), algorithm B out- 
puts FINISH° C (to, a, z). 

• There is an efficiently computable function INSTANCE(pk) which pro- 
duces an instance x of problem P such that START(x) = (pk, z) for some z. 
Consider the process of first generating (sk, pk) from G(l n ), and then com- 
puting x = INSTANCE(pk). The distribution of x generated in this way is 
negligibly close to the distribution of x generated in Gamep. 

• For fixed z, consider the classical random oracle 0(r) = RAND° c (r,^). 
Define a quantum oracle O quan t, which transforms a basis element \x,y) 
into \x,y ® 0(x)) . We require that O qua nt is quantum computationally in- 
distinguishable from a random oracle. 

• SIGN° C either aborts (and hence B aborts) or it generates a valid signa- 
ture relative to the oracle O(r) = RAND°'(r,z) with a distribution negli- 
gibly close to the correct signing algorithm. The probability that none of the 
signature queries abort is non-negligible. 

• If (to, o) is a valid signature forgery relative to the public key pk and oracle 
0(r) = RAND° c (r. z) then the output of B (i.e. FINISH° C (m, o. z) ) causes 
the challenger for problem P to output 1 with non-negligible probability. □ 

We now show that history-free reductions imply security in the quantum settings. 

Theorem 1. Let S = (G, S, V) be a signature scheme. Suppose that there is 
a history-free reduction that uses a classical PPT adversary A for S to con- 
struct a PPT algorithm B for a problem P. Further, assume that P is hard for 
polynomial-time quantum computers, and that quantum- accessible pseudorandom 
functions exist. Then S is secure in the quantum-accessible random oracle model. 

Proof. The history-free reduction includes five (classical) algorithms START, 
RAND, SIGN, FINISH, and INSTANCE, as in Definition E We prove the 
quantum security of S using a sequence of games, where the first game is the 
standard quantum signature game with respect to S. 

Game 0. Define Gameo as the game a quantum adversary Aq plays for prob- 
lem Sig-Forge(iS). Assume towards contradiction that Aq has a non-negligible 
advantage. 

Game 1. Define Gamei as the following modification to Gameo: after the 
challenger generates (sk, pk), it computes x <— INSTANCE(pk) as well as 
(pk, z) <— START(a:). Further, instead of answering Aq’s quantum random 
oracle queries with a truly random oracle, the challenger simulates for Aq a 
quantum-accessible random oracle O quan t as an oracle that maps a basis ele- 
ment \x, y) into the element x, y ® RAND° 9 (x, z)), where O q is a truly random 
quantum-accessible oracle. The history-free guarantee on RAND ensures that 
O qu ant is computationally indistinguishable from random for quantum adver- 
saries. Therefore, the success probability of Aq in Gamei is negligibly close to 
its success probability in Gameo, and hence is non-negligible. 
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Game 2. Modify the challenger from Gamei as follows: instead of generating 
(sk, pk) and computing x = INSTANCE(pk), start off by running the challenger 
for problem P. When that challenger sends x, then start the challenger from 
Gamei using this x. Also, when Aq asks for a signature on m, answer with 
SIGN 0 " (m, z). First, since INSTANCE is part of a history-free reduction, this 
change in how we compute x only negligibly affects the distribution of x, and 
hence the behavior of Aq. Second, as long as all signing algorithms succeed, 
changing how we answer signing queries only negligibly affects the behavior of 
Aq. Thus, the probability that Aq succeeds is the product of the following two 
probabilities: 

• The probability that all of the signing queries are answered without abort- 
ing. 

• The probability that Aq produces a valid forgery given that the signing 
queries were answered successfully. 

The first probability is non-negligible by assumption, and the second is negligibly 
close to the success probability of Aq in Gamei, which is also non-negligible. 
This means that the success probability of Aq in Game3 is non-negligible. 


Game 3. Define Game3 as in Game2, except that for two modifications to the 
challenger: First, it generates a key k for the quantum-accessible PRF. Then, 
to answer a random oracle query O q (\<f>}), the challenger applies the unitary 
transformation that takes a basis element \x,y) into \x, y © PRF(fc, x)). If the 
success probability in Games was non- negligibly different from that of Game2, 
we could construct a distinguisher for PRF which plays both the role of Aq and 
the challenger. Hence, the success probability in Game3 is negligibly close to 
that of Game2, and hence is also non-negligible. 

Given a quantum adversary that has non-negligible advantage in Game 3 we 
construct a quantum algorithm Bq that breaks problem P. When Bq receives 
instance x from the challenger for problem P, it computes (pk, z) <— START(a;) 
and generates a key k for PRF. Then, it simulates Aq on pk. Bq answers random 
oracle queries using a quantum-accessible function built from RAND PRF ^ fe, '- ) (-, z) 
as in Game 1. It answers signing queries using SIGN PRF ^ fe, '^(-, z). Then, when 
Aq outputs a forgery candidate ( m,a ), Bq computes FINISH PRF(fc, '^(m, a, z), 
and returns the result to the challenger for problem P. 

Observe that the behavior of Aq in Games is identical to that as a subroutine 
of Bq. Hence, Aq as a subroutine of Bq will output a valid forgery (m, cr) with 
non-negligible probability. If (m, cr) is a valid forgery, then since FINISH is part 
of a history-free reduction, FINISH PRF ^ fe ’ '\m, a, z) will cause the challenger for 
problem P to accept with non-negligible probability. Thus, the probability that 
P accepts is also non-negligible, contradicting our assumption that P is hard for 
quantum computers. 

Hence we have shown that any polynomial quantum algorithm has negligible 
advantage against problem Sig-Forge(A) which completes the proof. □ 
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We note that, in every step of the algorithm, the adversary Aq remains in a 
pure state. This is because, in each game, Aq’s state is initially pure (since it is 
classical), and every step of the game either involves a unitary transformation, a 
partial measurement, or classical communication. In all three cases, if the state 
is pure before, it is also pure after. 

We also note that we could have stopped at Game 2 and assumed that the cryp- 
tographic problem P is hard relative to a (quantum-accessible) random oracle. 
Assuming the existence of quantum-accessible pseudorandom functions allows 
us to draw the same conclusion in the standard (i.e., non-relativized) model at 
the expense of an extra assumption. 


4.1 Secure Signatures from Preimage Sampleable Trapdoor 
Functions (PSF) 

We now use Theorem [I] to prove the security of the Full Domain Hash signature 
scheme when instantiated with a preimage sampleable trapdoor function (PSF), 
such as the one proposed in |GPV()Sj . Loosely speaking, a PSF F is a tuple 
of PPT algorithms (G, Sample, /, / _1 ) where G(-) generates a key pair (pk, sk), 
/( pk, •) defines an efficiently computable function, / -1 (sk, y) samples from the 
set of pre-images of y, and Sample(pk) samples x from the domain of /(pk, •) 
such that /(pk, x) is statistically close to uniform in the range of /(pk, •). The 
PSF of |( 1 1 J V 081 is not only one-way, but is also collision resistant. 

Recall that the full domain hash (FDH) signature scheme is defined 

as follows: 

Definition 5 (Full Domain Hash). Let F = (G, /, / -1 ) be a trapdoor permu- 
tation, and O a hash function whose range is the same as the range of f . The 
full domain hash signature scheme is S = (G, T, V) where: 


• S°(sk,m) = /- 1 (sk,0(m)) 

. V°(pk,m,c) = { 1 i/°("*) = /(pk,») 

10 otherwise 

Gentry et al. j(4P VOSj show that the FDH signature scheme can be instan- 
tiated with a PSF F = (G, Sample, /, / _1 ) instead of a trapdoor permutation. 
Call the resulting system FDH-PSF. They prove that FDH-PSF is secure against 
classical adversaries, provided that the pre-image sampling algorithm used dur- 
ing signing is derandomized (e.g. by using a classical PRF to generate its random 
bits). Their reduction is not quite history- free, but we show that it can be made 
history-free. 

Consider the following reduction from a classical adversary A for the FDH- 
PSF scheme S to a classical collision finder B for F: 

• On input pk, B computes START(pk) := (pk, pk), and simulates A on pk. 

• When A queries O(r), B responds with 

RAND° c (r, pk) := /(pk, Sample(l"; O c (r))). 
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• When A queries 5(sk, m), B responds with 

SIGN°° (to, pk) := Sample( l n ; O c {m)). 

• When A outputs (to, cr), B outputs 

FINISH 0 ' (m, ct, pk) := (Sample(l n ;O c (m)),a). 
In addition, we define INSTANCE(pk) := pk. Algorithms INSTANCE and 
START trivially satisfy the requirements of history-freeness (Definition 0) ■ Be- 
fore showing that the above reduction is in history-free form, we need the fol- 
lowing technical lemma whose proof is given in the full version |RDF + lflj . 

Lemma 3. Say A is a quantum algorithm that makes q quantum oracle queries. 
Suppose further that we draw the oracle O from two distributions. The first is the 
random oracle distribution. The second is the distribution of oracles where the 
value of the oracle at each input x is identically and independently distributed by 
some distribution D whose variational distance is within e from uniform. Then 
the variational distance between the distributions of outputs of A with each oracle 
is at most Aq 2 ^/e. 

Proof Sketch. We show that there is a way of moving from O to On such 
that the oracle is only changed on inputs in a set K where the sum of the 
amplitudes squared of all k £ K, over all queries made by A, is small. Thus, we 
can use Lemma El to show that the expected behavior of any algorithm making 
polynomially many quantum queries to O is only changed by a small amount. 

□ 

Lemma 0 shows that we can replace a truly random oracle O with an oracle 
On distributed according to distribution D without impacting A, provided D is 
close to uniform. Note, however, that while this change only affects the output 
of A negligibly, the effects are larger than in the classical setting. If A only made 
classical queries to O, a simple hybrid argument shows that changing to Od 
affects the distribution of the output of A by at most qe, as opposed to 4c/ 2 i/e 
in the quantum case. Thus, quantum security reductions that use Lemma 01 will 
not be as tight as their classical counterparts. 

We now show that the reduction above is history-free. 

Theorem 2. The reduction above applied to FDH-PSF is history-free. 

Proof. The definition of a PSF implies that the distribution of /(pk, S ample (l Tl )j 
is within e samp i e of uniform, for some negligible e samp i e . Now, since 0(r) = 
RAND° c (r, pk) = /(pk, Sample(l n ; O c {r))) and O c is a true random oracle, 
the quantity 0(r) is distributed independently according to a distribution that 
is e S ampie away from uniform. Define a quantum oracle O qU ant which transforms 
the basis state \x,y) into \x,y ®0(x)). Using Lemma 0 for any algorithm B 
making q random oracle queries, the variational distance between the proba- 
bility distributions of the outputs of B using a truly random oracle and the 
“not-quite” random oracle O quant is at most 4c/ 2 fyesampie, which is still negligi- 
ble. Hence, O q is computationally indistinguishable from random. 
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Gentry et al. }GPV08| also show that SIGN° C (m, pk) is consistent with 
RAND° c (-,pk) for all queries, and that if A outputs a valid forgery ( m,a ), 
FINISH° c (m, a, pk) produces a collision for T with probability 1 — 2~ E , where 
E is the minimum over all y in the range of /(pk, •) of the min-entropy of the 
distribution on a given /(pk, cr) = y. The PSF of Gentry et al. |GPV08| has 
super-logarithmic min-entropy, so 1 — 2~ E is negligibly close to 1 , though any 
constant non-zero min-entropy will suffice to make the quantity a non-negligible 
fraction of 1. □ 

We note that the security proof of Gentry et al. |GPV08| is a tight reduction in 
the following sense: if the advantage of an adversary A for S is e, the reduction 
gives a collision finding adversary B for T with advantage negligibly close to e, 
provided that the lower bound over y in the range of /(pk, •) of the min-entropy 
of a given /(pk, a) = y is super-logarithmic. If the PSF has a min-entropy of 1, 
the advantage of B is still e/2. 

The following corollary, which is the main result of this section, follows from 
Theorems m and 0- 

Corollary 1. If quantum- accessible pseudorandom functions exist, and T is a 
secure PSF against quantum adversaries, then the FDH-PSF signature scheme 
is secure in the quantum- accessible random oracle model. 

4.2 Secure Signatures from Claw-Free Permutations 

In this section, we show how to use claw-free permutations to construct three sig- 
nature schemes that have history-free reductions and are therefore secure in the 
quantum-accessible random oracle model. The first is the standard FDH from 
Definition 0 but when the underlying permutation is a claw-free permutation. 
We adapt the proof of Coron jCorHOj to give a history-free reduction. The second 
is the Katz and Wang |K WOHj signature scheme, and we also modify their proof 
to get a history- free reduction. Lastly, following Gentry et al. |GPV08) . we note 
that claw-free permutations give rise to a pre-image sampleable trapdoor func- 
tion (PSF), which can then be used in FDH to get a secure signature scheme as 
in Section 101 The Katz- Wang and FDH-PSF schemes from claw- free permuta- 
tions give a tight reduction, whereas the Coron-based proof loses a factor of q s 
in the security reduction, where q s is the number of signing queries. 

Recall that a claw-free pair of permutations |GMR88j is a pair of trapdoor 
permutations {Ei,F 2 ), where T % = (G*, /;, fy -1 ), with the following properties: 

• Gi = G 2 . Define G = G x = G 2 . 

• For any key pk, /i(pk, •) and / 2 (pk, •) have the same domain and range. 

• Given only pk, the probability that any PPT adversary can find a pair 
(a,'i , x 2 ) such that /i(pk,xi) = fyfyk, x 2 ) is negligible. Such a pair is called 
a claw. 

Dodis and Reyzin |DRO.‘i| note that claw-free permutations are a generalization 
of trapdoor permutations with a random self-reduction. A random self-reduction 
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is a way of taking a worst-case instance £ of a problem, and converting it into 
a random instance y of the same problem, such that a solution to y gives a 
solution to x. Dodis and Reyzin |IJH0.'>l show that any trapdoor permutation 
with a random self reduction (e.g. RSA) gives a claw-free pair of permutations. 

We note that currently there are no candidate pairs of claw-free permutations 
that are secure against quantum adversaries, but this may change in time. 


FDH Signatures from Claw-Free Permutations. Coron |( lorOdj shows that 
the Full Domain Hash signature scheme, when instantiated with the RSA trap- 
door permutation, has a tighter security reduction than the general Full Domain 
Hash scheme, in the classical world. That is, Coron’s reduction loses a factor 
of approximately q s , the number of signing queries, as apposed to qh, the num- 
ber of hash queries. Of course, the RSA trapdoor permutation is not secure 
against quantum adversaries, but his reduction can be applied to any claw-free 
permutation and is equivalent to a history-free reduction with similar tightness. 

To construct a FDH signature scheme from a pair of claw-free permutations 
(JFi, ,F 2 ), we simply instantiate FDH with T \ , and ignore the second permutation 
^ 2 , to yield the following signature scheme 

• G is the generator for the pair of claw-free permutations. 

• 5 0 (sk, m) = /f 1 (sk, 0{m)) 

• E°(pk, to, a) = 1 if and only if /i(pk, a) = 0(m). 

We now present a history-free reduction for this scheme. The random oracle for 
this reduction, O c (r), returns a random pair (a, b), where a is a random element 
from the domain of T\ and T 2 , and b is a random element from {1, ...,p} for 
some p to be chosen later. 

We construct history-free reduction from a classical adversary A for S to a 
classical adversary B for (Jq, J-jj)- Algorithm B, on input pk, works as follows: 

• Compute START(pk, y) = (pk, pk), and simulate A on pk. Notice that z 
pk is the state saved by B. 

• When A queries 0(r), compute RAND° c (r, pk). For each string r, RAND 
works as follows: compute (a, b) <— O c (r). If b = 1, return / 2 (pk, a). Other- 
wise, return /i(pk, a) 

• When A queries S(sk, to), compute SIGN° c (to, pk). SIGN works as follows: 
compute (a, b) <— O c (m) and return a if b ^ 1. Otherwise, fail. 

• When A returns (to, a), compute FINISH 0 " (to, a, pk). FINISH works as 
follows: compute (a, b) <— O c (m) and output (a, a). 

In addition, we have INSTANCE(pk) = pk and START(INSTANCE(pk)) = 
(pk, pk), so INSTANCE and START satisfy the required properties. 

Theorem 3. The reduction above is in history-free form. 

Proof. RAND° C (r, pk) is completely random and independently distributed, as 
/i(pk, a) and / 2 (pk, a) are both random (/*,( pk, •) is a permutation and a is truly 
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random). As long as 6 ^ 1, where (a, 6 ) = O c (to), SIGN° c (to, pk) will be consis- 
tent with RAND. This is because because R RAND ° 0 ^’ pk )(pk, m, SIGN° c (m, pk)) 
outputs 1 if RAND° c (m, pk) = /i(pk, SIGN°°(m, pk)). But RAND°°(m, pk) = 
/i(pk,a) (since b ^ 1), and SIGN° c (m, pk)) = a. Thus, the equality holds. The 
probability over all signature queries of no failure is (1 — 1 / p ) 9STGN . If we chose 
p = Q'siGN) this quantity is at least e -1 — o(l), which is non-negligible. 

Suppose A returns a valid forgery (m, cr), meaning A never asked for a forgery 
on to and /i(sk,cr) = RAND° c (to, pk). If b = 1 (where (a, b) = O c (m)), then 
we have /i(sk, cr) = RAND° c (m, pk) = / 2 (pk, a), meaning that (cr, a) is a claw. 
Since A never asked for a signature on to, there is no way A could have figured 
out a, so the case where 6=1 and a is the preimage of O(to) under / 2 , and the 
case where 6^1 and a is the preimage of O(m) under /i are indistinguishable. 
Thus, 6=1 with probability 1/p. Thus, B converts a valid signature into a claw 
with non-negligible probability. □ 

Corollary 2. If quantum-accessible pseudorandom functions exists, and(fF\,Tf) 
is a pair claw-free trapdoor permutations, then the FDH scheme instantiated with 
T\ is secure against quantum adversaries. 

Note that in this reduction, our simulated random oracle is truly random, 
so we do not need to rely on Lemma 01 Hence, the tightness of the reduction 
will be the same as the classical setting. Namely, if the quantum adversary A 
has advantage e when making ®ign signature queries, B will have advantage 
approximately e/®iGN- 


The Katz- Wang Signature Scheme In this section, we consider a variant 
of FDH due to Katz and Wang IKWOdj . This scheme admits an almost tight 
security reduction in the classical world. That is, if an adversary has advantage 
e, the reduction gives a claw finder with advantage e/2. Their proof of security is 
not in history-free form, but it can be modified so that it is in history-free form. 
Given a pair of trapdoor permutation (Fi,.F 2 ), the construction is as follows: 

• G is the key generator for T. 

• 5 0 (sk,TO) = ff 1 (sk, 0(6, to)) for a random bit 6. 

. V°(pk ,m,a) is 1 if either A(pk, a) = 0(0, to) or /i(pk,u) = 0(1, to) 

We construct a history-free reduction from an adversary A for S to an adversary 
B for (.Fi, JFg). The random oracle for this reduction, O c (r), generates a random 
pair (a, 6), where a is a random element from the domain of T\ and J~ 2 , and 6 
is a random bit. On input pk, B works as follows: 

• Compute START(pk, y) = (pk, pk), and simulate A on pk. Notice that z = 
pk is the state saved by B. 

• When A queries 0(6, r), compute RAND° C (6, r, pk). For each string (6, r), 
RAND works as follows: compute (a, b') = O c (r). If 6 = 6', return /i(pk, a). 
Otherwise, return / 2 (pk, a). 
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• When A queries 5(sk, to), compute SIGN° c (m, pk). SIGN works as follows: 
compute (a, b) = O c (to) and return a. 

• When A returns (to, cr), compute FINISH° C (to, a, pk). FINISH works as 
follows: compute (a,b) = O c (m). If cr = a, abort. Otherwise, output (a, a). 

In addition, we have INSTANCE(pk) = pk and START(INSTANCE(pk)) = 
(pk, pk), so INSTANCE and START satisfy the required properties. 

Theorem 4. The reduction above is in history-free form. 

Proof. RAND° C (b. r, pk) is completely random and independently distributed, 
as /i(pk, a) and /2(pk, o) are both random (/{, is a permutation and a is truly 
random). Observe that /i(pk, SIGN° c (m, pk)) = /i(pk, a) = 0{b,m ) where 
(a, b) = O c (m). Thus, signing queries are always answered with a valid signa- 
ture, and the distribution of signatures is identical to that of the correct signing 
algorithm since b is chosen uniformly. 

Suppose A returns a valid forgery (to, cr). Let (a, b) = O c (m). There are two 
cases, corresponding to whether cr corresponds to a signature using b or 1 — b. 
In the first case, we have /i(pk, a) = 0(b,m ) = /i(pk, a), meaning a = a, so 
we abort. Otherwise, /i(pk, cr) = 0(1 — b, to) = / 2(pk, a), so (cr, a) form a claw. 
Since the adversary never asked for a signing query on to, these two cases are 
indistinguishable by the same logic as the proof for FDH. Thus, the probability 
of failure is at most a half, which is non-negligible. □ 

Corollary 3. If quantum-accessible pseudorandom functions exists, and (Tq , Tf) 
is a pair claw-free trapdoor permutations, then the Katz- Wang signature scheme 
instantiated with T\ is secure against quantum adversaries. 

As in the case of FDH, our simulated quantum-accessible random oracle is truly 
random, so we do not need to rely on Lemma 01 Thus, the tightness of our 
reduction is the same as the classical case. In particular, if the quantum adversary 
Aq has advantage e then B will have advantage e/2. 


PSF Signatures from Claw-Free Permutations. Gentry et al. jGPVOSj 

note that Claw-Free Permutations give rise to pre-image sampleable trapdoor 
functions (PSFs). These PSFs can then be used to construct an FDH signature 
scheme as in Section El 

Given a pair of claw-free permutations (Jq,^), define the following PSF: G is 
just the generator for the pair of permutations. Sample(pk) generates a random 
bit b and random x in the domain of fb, and returns (a:, b). /(pk, x, b) = /{,( pk, x), 
and / -1 (sk, y) = (/ 6 -1 (sk ,y),b) for a random b. Suppose we have a collision 
((aq, bi), (aq, b 2 )) for this PSF. Then 

/ 6l (pk,aq) = /(pk,aq,6i) = f(pk,x 2 ,h ) = /6 2 (pk,a;2) 

If bi = 62, then aq = aq since fb, is a permutation. But this is impossible since 
(aq,6i) 7^ (x 2 , b 2 ). Thus, 61 ^ b 2 , so one of (aq,aq) or ( aq,aq ) is a claw for 
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Hence, we can instantiate FDH with this PSF to get the following signature 
scheme: 

• G is the generator for the permutations. 

• 5°(sk,m) = (/ 6 -1 (sk, 0(m)), b) for a random bit b. 

• U°(pk, m, (cr, b )) = 1 if and only if /;,( pk, a) = 0(m). 

The security of this scheme follows from Corollary QJ with a similar tightness 
guarantee (this PSF has only a pre-image min-entropy of 1, which results in a 
loss of a factor of two in the tightness of the reduction). In particular, if we have 
a quantum adversary Aq for £ with advantage e, we get a quantum algorithm 
Bq for the PSF with advantage e/2, which gives us a quantum algorithm Cq 
that finds claws of (Jq, !F%) with probability e/2. 

5 Encryption Schemes in the Quantum-Accessible 
Random Oracle Model 

In this section, we prove the security of two encryption schemes. The first is the 
BR encryption scheme due to Bellare and Rogaway |BR93j . which we show is 
CPA secure. The second is a hybrid generalization of the BR scheme, which we 
show is CCA secure. 

Ideally, we could define a general type of classical reduction like we did for 
signatures, and show that such a reduction implies quantum security. Unfor- 
tunately, defining a history-free reduction for encryption is considerably more 
complicated than for signatures. We therefore directly prove the security of two 
random oracle schemes in the quantum setting. 

5.1 CPA Security of BR Encryption 

In this section, we prove the security of the BR encryption scheme |BRbH| against 
quantum adversaries: 

Definition 6 (BR Encryption Scheme). Let T = (Go, /, / _1 ) be an injective 
trapdoor function, and O a hash function with the same domain as /(pk, •). We 
define the following encryption scheme, £ = ( G , E, D ) where: 


• E°{ pk, to) = (/(pk, r),0(r) ® to) for a randomly chosen r. 

• -D°(sk, (y, c)) = c© / -1 (sk, y) 

A candidate quantum-immune injective trapdoor function can be built from hard 
problems on lattices jPW 08 j . 

Theorem 5. If quantum- accessible pseudorandom functions exists and T is a 
quantum-immune injective trapdoor function, then £ is quantum CPA secure. 

We omit the proof of Theorem ^because the CPA security of the BR encryption 
scheme is a special case of the CCA security of the hybrid encryption scheme in 
the next section. 


Random Oracles in a Quantum World 


63 


5.2 CCA Security of Hybrid Encryption 

We now prove the CCA security of the following standard hybrid encryption, 
a generalization of the BR encryption scheme scheme jBHPdj . built from an 
injective trapdoor function and symmetric key encryption scheme. 

Definition 7 (Hybrid Encryption Scheme). Let T = (Go,/,/ -1 ) be an 
injective trapdoor function, and £s = {Es,Ds) be a CCA secure symmetric key 
encryption scheme, and O a hash function. We define the following encryption 
scheme, £ = (G, E, D ) where: 


• E°(pk, m) = (f(pk,r),Es(0(r),m)) for a randomly chosen r. 

• -D°(sk, (y,c)) = D s {0(r'),c) where r' = / -1 (sk,y) 

We note that the BR encryption scheme from the previous section is a special 
case of this hybrid encryption scheme where £s is the one-time pad. That is, 
Eg(k, m) = k ® to and Ds(k, c) = k ® c. 

Theorem 6. If quantum-accessible pseudorandom functions exists, IF is a 
quantum-immune injective trapdoor function, and £s is a quantum CCA secure 
symmetric key encryption scheme, then £ is quantum CCA secure. 

Proof. Suppose we have an adversary Aq that breaks £. We start with the 
standard security game for CCA secure encryption: 

Game 0. Define Gameo as the game a quantum adversary Aq plays for problem 
Asym-CCA(£). 

Game 1. Define Gamei as the following game: the challenger generates (sk, pk) «— 
G(l”), a random r in the domain of F, a random k in the key space of £s, 
and computes y = /(pk, r). The challenger has access to a quantum-accessible 
random oracle O q whose range is the key space of £s ■ It then sends pk to Aq. 
The challenger answers queries as follows: 

• Random oracle queries are answered with the random oracle O quant , which 
takes a basis element \x,y) into \x,y ® O g (f(pk,x))). 

• Decryption queries on ( y' , d) are answered as follows: 

Case 1: If y = y' , respond with Dg{k, d). 

Case 2: If y ^ y' , respond with Ds(O q (y'),d). 

• The challenge query on (mo, mi) is answered as follows: choose a random 
b. Then, respond with (y, Es(k,mj,)). 

When Aq responds with b 1 , we say that Aq won if b = b’ . 

Observe that, because / is injective and O q is random, the oracle O quant is a 
truly random oracle with the same range as O q . The challenge ciphertext ( y,c ) 
seen by Aq is distributed identically to that of Gameo- Further, it is a valid 
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encryption of mb relative to the random oracle being O quant if O q (y) = k. For 
y' 7 ^ y, the decryption of (y r , d) is 

D s (O q (y'),d) = -Ds(O qua nt(/ -1 (sk, r/)), d) = D°^ (sk, (y',d)) 

Which is correct. Likewise, if O q {y) = k, the decryption of (y, d) is also correct. 
Thus, the view of Aq in Gamei is identical to that in Gameo if O q (y) = k. We 
now make the following observations: 

• The challenge query and decryption query answering algorithms never query 
O q on y. 

• Each quantum random oracle query from the adversary to O quant leads 
to a quantum random oracle query from the challenger to O q . The query 
magnitude of y in the challenger’s query to O q is the same as the query 
magnitude of r in the adversary’s query O quant . 

Let e be the sum of the square magnitudes of y over all queries made to O q (i.e. 
the total query probability of y). This is identical to the total query probability 
of r over all queries Aq makes to O quant . 

We now construct a quantum algorithm B T q that uses a quantum-accessible 
random oracle O q , and inverts / with probability e/q, where q is the number of 
random oracle queries made by Aq. B T q takes as input (pk, y), and its goal is 
to output r = / -1 (sk, y). B° q works as follows: 

• Generate a random k in the key space of £s ■ Also, generate a random 
i £ {1, ..., q}. Now, send pk to Aq and play the role of challenger to Aq. 

• Answer random oracle queries with the random oracle O qua nt> which takes 
a basis element | x,y) into \x,y (B O q (f(pk,x))). 

• Answer decryption queries on ( y',d ) as follows: 

Case 1: If y = y', respond with Ds(k, d). 

Case 2: If y ^ y', respond with Ds(O q (y'),d). 

• Answer the challenge query on (mo, mi) as follows: choose a random b. 
Then, respond with ( y,Es(k,mb )). 

• At the ith random oracle query, sample the query to get r' , and output d 
and terminate. 

Comparing our definition of B° q to Gamei, we can conclude that the view seen 
by Aq in both cases is identical. Thus, the total query probability that Aq makes 
to O q u a nt at the point r is e. Hence, the probability that B T q outputs r is e/q. 
If we assume that T is secure against quantum adversaries that use a quantum- 
accessible random oracle, then this quantity, and hence e, must be negligible. As 
in the case of signatures (Section , we can replace this assumption with the 
assumption that T is secure against quantum adversaries (i.e. with no access to 
a quantum random oracle) and that pseudorandom functions exists to reach the 
same conclusion. 

Since e is negligible, we can change O q (y ) = k in Gamei, thus getting a game 
identical to Gameo from the adversary’s point of view. Notice that in Gameo 
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and Gamei, Aq is in a pure state because we are only applying unitary transfor- 
mations, performing measurements, or performing classical communication. We 
are only changing the oracle at a point with negligible total query probability, 
so Lemma 0 tells us that making this change only affects the distribution of 
the outcome of Gamei negligibly. This allows us to conclude that the success 
probability of Aq in Gamei is negligibly close to that in Gameo- 

Now, assume that the success probability of Aq in Gamei is non-negligible. 
We now define a quantum algorithm B £ * that uses a quantum-accessible random 
oracle O q to break the CCA security of £s- B £ * works as follows: 

• On input 1", generate (sk, pk) <— G(l"). Also, generate a random r, and 
compute y = /(pk, r). Now send pk to Aq and play the role of challenger to 
Aq. 

• Answer random oracle queries with the random oracle O quan t, which takes 
a basis element \x,y) into \x, y ® O g (/(pk, a;))). 

• Answer decryption queries on (y' ,d) as follows: 

Case 1: If y = y', ask the £s challenger for a decryption Dg(k, d) to obtain 
m! . Return m 1 to Aq. 

Case 2: If y ^ y 1 , respond with Ds(O q (y'),d). 

• Answer the challenge query on (mo, mi) by forwarding the pair £$■ When 
the challenger responds with c (which equals Es(k,mb) for some b), return 
(y,c) to Aq. 

• When Aq outputs b', output b' and halt. 

Comparing our definition of B £ * to that of Gamei, we can conclude that the 
view of Aq in both cases is identical. Thus, Aq succeeds with non-negligible 
probability. If Aq succeeds, it means it returned b, meaning B £ * also succeeded. 
Thus, we have an algorithm with a quantum random oracle that breaks £s- 
This is a contradiction if £s is CCA secure against quantum adversaries with 
access to a quantum random oracle, which holds since £s is CCA secure against 
quantum adversaries and quantum-accessible pseudorandom functions exist, by 
assumption. 

Thus, the success probability of Aq in Gamei is negligible, so the success 
probability of Aq in Gameo is also negligible. Hence, we have shown that all 
polynomial time quantum adversaries have negligible advantage in breaking in 
breaking the CCA security of £, so £ is CCA secure. □ 

We briefly explain why Theorem 0 is a special case of Theorem El Notice 
that, in the above proof, Bg s only queries its decryption oracle when answering 
decryption queries made by Aq, and that it never makes encryption queries. 
Hence, if Aq makes no decryption queries, Bg s makes no queries at all except 
the challenge query. If we are only concerned with the CPA security of £, we 
then only need Eg to be secure against adversaries that can only make the 
challenge query. Further, if we only let Aq make a challenge query with messages 
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of length n, then Eg only has to be secure against adversaries making challenges 
of a specific length. But this is exactly the model in which the one-time pad is 
unconditionally secure. Hence, the BR encryption scheme is secure, and we have 
proved Theorem 0 

6 Conclusion 

We have shown that great care must be taken if using the random oracle model 
when arguing security against quantum attackers. Proofs in the classical case 
should be reconsidered, especially in case the quantum adversary can access the 
random oracle with quantum states. We also developed conditions for translating 
security proofs in the classical random oracle model to the quantum random 
oracle model. We applied these tools to certain signature and encryption schemes. 

The foremost question raised by our results is in how far techniques for “clas- 
sical random oracles” can be applied in the quantum case. This stems from 
the fact that manipulating or even observing the interaction with the quantum- 
accessible random oracle would require measurements of the quantum states. 
That, however, prevents further processing of the query in a quantum manner. 
We gave several examples of schemes that remain secure in the quantum setting, 
provided quantum-accessible pseudorandom functions exist. The latter primi- 
tive seems to be fundamental to simulate random oracles in the quantum world. 
Showing or disproving the existence of such pseudorandom functions is thus an 
important step. 

Many classical random oracle results remain open in the quantum random 
oracle settings. It is not known how to prove security of generic FDH signatures 
as well as signatures derived from the Fiat-Shamir heuristic in the quantum 
random oracle model. Similarly, a secure generic transformation from CPA to 
CCA security in the quantum RO model is still open. 
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Abstract. Lossy encryption was originally studied as a means of achiev- 
ing efficient and composable oblivious transfer. Bellare, Hofheinz and 
Yilek showed that lossy encryption is also selective opening secure. We 
present new and general constructions of lossy encryption schemes and 
of cryptosystems secure against selective opening adversaries. 

We show that every re-randomizable encryption scheme gives rise to 
efficient encryptions secure against a selective opening adversary. We 
show that statistically-hiding 2-round Oblivious Transfer implies Lossy 
Encryption and so do smooth hash proof systems. This shows that pri- 
vate information retrieval and homomorphic encryption both imply Lossy 
Encryption, and thus Selective Opening Secure Public Key Encryption. 

Applying our constructions to well-known cryptosystems, we obtain 
selective opening secure commitments and encryptions from the Deci- 
sional Diffie-Hellman, Decisional Composite Residuosity and Quadratic 
Residuosity assumptions. 

In an indistinguishability-based model of chosen-ciphertext selective 
opening security, we obtain secure schemes featuring short ciphertexts 
under standard number theoretic assumptions. In a simulation-based 
definition of chosen-ciphertext selective opening security, we also han- 
dle non-adaptive adversaries by adapting the Naor-Yung paradigm and 
using the perfect zero-knowledge proofs of Groth, Ostrovsky and Sahai. 

Keywords: Public key encryption, commitment, lossy encryption, ho- 
momorphic encryption, selective opening, chosen-ciphertext security. 


1 Introduction 

In Byzantine agreement, and more generally in secure multiparty computation, 
it is often assumed that all parties are connected to each other via private chan- 
nels. In practice, these private channels are implemented using a public-key cryp- 
tosystem. An adaptive adversary in a MPC setting, however, has very different 
powers than an adversary in an IND-CPA or IND-CCA game. In particular, an 
adaptive MPC adversary may view all the encryptions sent in a given round, 
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and then choose to corrupt a certain fraction of the players, thus revealing the 
decryptions of those players’ messages and the randomness used to encrypt them. 
A natural question is whether the messages sent from the uncorrupted players 
remain secure. If the messages (and randomness) of all the players are chosen 
independently, then security in this setting follows from the IND-CPA security 
of the underlying encryption. If, however, the messages are not independent, the 
security does not immediately follow from the IND-CPA (or even IND-CCA) 
security of the underlying scheme. Although this problem was first investigated 
over twenty years ago, it remains an open question whether IND-CPA security 
implies this selective opening security. 

Previous Work. There have been many attempts to design encryption proto- 
cols that can be used to implement secure multiparty computation against an 
adaptive adversary. The first protocols by Beaver and Haber gj required interac- 
tion between the sender and receiver, required erasure and were fairly inefficient. 
The first non-interactive protocol was given by Canetti, Feige, Goldreich and 
Naor in [TQ! . In [H3j the authors defined a new primitive called Non-Committing 
Encryption, and gave an example of such a scheme based on the RSA assump- 
tion. In |2|, Beaver extended the work of HOI, and created adaptively secure key 
exchange under the Diffi e-Hellman assumption. In subsequent work, Damgard 
and Nielsen improved the efficiency of the schemes of Canetti et al. and Beaver, 
they were also able to obtain Non-Committing Encryption based on one-way 
trapdoor functions with invertible sampling. In na> Canetti, Halevi and Katz 
presented a Non-Committing encryption protocols with evolving keys. 

In Pj, Canetti, Dwork, Naor and Ostrovsky extended the notion of Non- 
Committing Encryption to a new protocol which they called Deniable Encryp- 
tion. In Non-Committing Encryption schemes there is a simulator, which can 
generate non-committing ciphertexts, and later open them to any desired mes- 
sage, while in Deniable Encryption, valid encryptions generated by the sender 
and receiver can later be opened to any desired message. The power of this prim- 
itive made it relatively difficult to realize, and Canetti et al. were only able to 
obtain modest examples of Deniable Encryption and left it as an open question 
whether frilly deniable schemes could be created. 

The notions of security against an adaptive adversary can also be applied to 
commitments. According to EH, the necessity of adaptively-secure commitments 
was realized by 1985. Despite its utility, until recently, relatively few papers di- 
rectly addressed the question of commitments secure against a selective opening 
adversary (SOA). The work of Dwork, Naor, Reingold and Stockmeyer EH was 
the first to explicitly address the problem. In EH, Dwork et al. showed that 
non-interactive SOA-secure commitments can be used to create a 3-round zero- 
knowledge proof systems for NP with negligible soundness error, and they gave 
constructions of a weak form of SOA-secure commitments, but left as an open 
question the existence of whether general SOA-secure commitments. 

The question of SOA-secure commitments was put on firm foundations by 
Hofheinz EH and Bellare, Hofheinz and Yilek in |5|. In E|, Bellare et al. provided 
simulation-based and indistinguishability-based definitions of security (these will 
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be given the prefixes IND and SEM respectively) and gave a number of con- 
structions and strong black-box separations, which indicated the difficulty of 
constructing selective opening secure commitments. Our results in the selective 
opening setting build on the breakthrough results of j5| ■ 

The independent work of Fehr, Hofheinz and Kiltz and Wee m also ex- 
amines the case of CCA2 cryptosystems that are selective opening secure. In 
their work, they show how to adapt the universal hash proof systems of PH* to 
provide CCA2 security in the selective opening setting. Their constructions are 
general, and offer the first SEM-SO-CCA secure cryptosystem whose parame- 
ters are completely independent of n, the number of messages. Their work also 
considers selective opening security against chosen-plaintext attacks, and using 
techniques from Non-Committing Encryption [E3| they construct SEM-SO-CPA 
secure systems from enhanced one-way trapdoor permutations. 

Bellare, Waters and Yilek [Zj show how to construct Identity-Based Encryp- 
tion (IBE) schemes secure under selective-opening attacks. Our results are 
orthogonal to theirs. Their work constructs IBE schemes secure under selective- 
opening attacks, while our work starts with a tag-based encryption scheme, 
and uses it to construct encryption schemes that are secure against a selective- 
opening chosen-ciphertext attack, but are not identity-based. 

Our Contributions. We primarily consider encryptions secure against a selec- 
tive opening adversary. First we consider a selective-opening adversary who can 
mount a chosen-plaintext attack, and a the second part, we consider a selective- 
opening adversary who can mount a chosen-ciphertext attack. 

Selective Opening Security Against Chosen-Plaintext Attacks. We formalize the 
notion of re-randomizable Public-Key Encryption and show that it implies Lossy 
Encryption [41 IM2I5| . Combining this with the observation (due to Bellare et 
al. jS|) that Lossy Encryption is IND-SO-CPA secure, we obtain an efficient 
construction of IND-SO-CPA secure encryption from any re-randomizable en- 
cryption (which generalizes and extends previous results). Moreover, these con- 
structions retain the efficiency of the underlying re-randomizable cryptosystem. 

Applying our results to the Paillier cryptosystem m, we obtain an encryp- 
tion scheme attaining a strong, simulation-based form of semantic security under 
selective openings (SEM-SO-CPA security). This is the first such construction 
from the Composite Residuosity (DCR) assumption. As far as bandwidth goes, 
it is also the most efficient SEM-SO-CPA secure encryption scheme to date. The 
possible use of Paillier as a lossy encryption scheme implicitly appears in . To 
the best of our knowledge, its SEM-SO-CPA security was not reported earlier. 

Next, we show that Lossy Encryption is also implied by (honest-receiver) 
statistically-hiding (^) -Oblivious Transfer and hash proof systems [T7j. Com- 
bining this with the results of 02EU, we recognize that the relatively new 
Lossy Encryption primitive is essentially a different way to view the well-known 
statistically-hiding (^)-OT primitive. Applying the reductions in jS| to this re- 
sult, yields constructions of SOA secure encryption from both private 
information retrieval (PIR) and homomorphic encryption. 
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These results show that the Lossy and Selective Opening Secure Encryption 
primitives (at least according to the latter’s indistinguishability-based security 
definition), which have not been extensively studied until recently, are actually 
implied by several well-known primitives: i.e., re-randomizable encryption, PIR, 
homomorphic encryption, hash proof systems and statistically-hiding (^)-OT. 
So far, the only known general constructions of lossy encryption were from lossy 
trapdoor functions. Our results show that they can be obtained from many 
seemingly weaker primitives (see figure QJ . 



► Shown in this paper 
- - - ► Shown in previous work 


Fig. 1 . Constructing Lossy Encryption 


Selective Opening Security Against Chosen- Ciphertext Attacks: Continuing the 
study of selective-opening security, we present definitions chosen-ciphertext se- 
curity (CCA2) in the selective opening setting (in both the indistinguishability 
and simulation-based models) and describe encryption schemes that provably 
satisfy these enhanced forms of security. Despite recent progress, relatively few 
methods are known for constructing IND-CCA2 cryptosystems in the standard 
model. The problem is even more complex with selective openings, where some 
known approaches for CCA2 security do not seem to apply. We note how the 
Naor-Yung paradigm, even when applied with statistical zero knowledge proofs 
fails to prove CCA2 security in the selective opening setting. Essentially, this is 
because the selective opening adversary learns the randomness used in the sig- 
nature scheme, which allows him to forge signatures, and thus create ciphertexts 
that cannot be handled by the simulated decryption oracle. 

The results of Fehr, Hofheinz, Kiltz and Wee show how to modify univer- 
sal hash proof systems jd to achieve security under selective openings. We 
take a different approach and follow (a variant of) the Canetti-Halevi-Katz 
paradigm [TT| . This too encounters many obstacles in the selective opening set- 
ting. Nevertheless, under standard assumptions (such as DDH or the Composite 
Residuosity assumption), we construct schemes featuring compact ciphertexts 
while resisting adaptive (i.e., CCA2) chosen-ciphertext attacks according to our 
indistinguishability-based definition. When comparing our schemes to those of 
m, we note that our public key size depends on n, the number of senders that 
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can be possibly corrupted, while the systems of are independent of n. On the 
other hand, to encrypt m-bit messages with security parameter A, our cipher- 
texts are of length 0 ( A + m), while theirs are of length O(Xm). Our public-keys 
are longer than in j23| because our construction relies on All-But - N Lossy Trap- 
door Functions (defined below), which have long description. The recent com- 
plementary work of Hofheinz m shows how to create All-But-Many Trapdoor 
Functions with short keys. Using his results in our construction eliminates the 
dependence of the public- key size on n. Regarding security definitions, our 
constructions satisfy an indistinguishability-based definition (IND-SO-CCA), 
whereas theirs fit a simulation-based definition (SEM-SO-CCA) which avoids 
the restriction on the efficient conditional re-sampleability of the message distri- 
bution. 

The scheme of is very different from ours and we found it interesting to 
investigate the extent to which well-known paradigms like m can be applied in 
the present context. Moreover, by adapting the Naor-Yung paradigm j?I%| . under 
more general assumptions, we give a CCA1 construction that also satisfies a 
strong simulation-based notion of adaptive selective opening security. 

One advantage of our IND-SO-CCA scheme is the ability to natively encrypt 
multi-bit messages. It is natural to consider whether our approach applies to 
the scheme of Bellare, Waters and Yilek p] to achieve multi-bit IND-SO-CCA 
encryption. The scheme of jZj , like m, encrypts multi-bit messages in a bitwise 
manner. Applying a Canetti-Halevi-Katz-like transformation to the construction 
of jZj does not immediately yield IND-SO-CCA encryption schemes for multi-bit 
messages: the reason is that it is not clear how to prevent the adversary from 
reordering the bit encryptions without employing a one-time signature scheme. 

2 Background 

If / : X — > Y is a function, for any subset Z C X, we let f(Z) = { f(x ) : x 6 Z}. 
If A is a PPT machine, then a A denotes the action of running A and ob- 
taining an output o, which is distributed according to the internal randomness 
of A. Also, coins(A) denotes the distribution of A’s internal randomness, so that 
the distribution {a <— A} is actually {r <— coins(A) : a = A(r)}. If R is a set, we 
use r <— R to denote sampling uniformly from R. 

When A is a security parameter, negl(A) denotes the set of negligible functions 
( i.e ., which decrease faster than the inverse of any polynomial in A). If A” and 
Y are families of distributions indexed by A, their statistical indistinguishability 
is written as X Y. We write X w c Y to express that X and Y are computa- 
tionally indistinguishable, i.e., for all PPT adversaries A, for all polynomials p, 
then for all sufficiently large A, we have | Pr[A x = 1] — Pr [A Y = 1]| G negl(A). 

2.1 Selective Opening Secure Encryption 

We recall the indistinguishability-based definition of encryption secure against 
a selective opening adversary, originally formalized in jS|- We define a real game 
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and an ideal game which should be indistinguishable to any efficient adversary. 
The adversary receives both the messages and the randomness for his selection. 
This mirrors the fact that an adaptive MPC adversary learns the entire history 
of corrupted players (be., there are no secure erasures). If the adversary receives 
only the messages this would reduce to standard CPA security. 

As in the notations of jSj, M denotes an n-message sampler outputting a 
n- vector m = (mi, . . . , m„) of messages whereas denotes an algorithm 

that conditionally resamples another random n- vector m' = (rn \ , . . . , rn ' n ) such 
that m' = m, for each i £ I c {1, . . . ,n}. If such a resampling can be done 
efficiently for all 7, m, then M. is said to support efficient conditional resampling. 


Definition 1. (Indistinguishability under selective openings). A public key cryp- 
tosystem ( G,E,D ) is indistinguishable under selective openings (or IND-SO- 
CPA secure) if, for any message sampler M supporting efficient conditional 
resampling and any PPT adversary A = (Ai,A 2 ), we have 

|Pr [A ind - so - real = l] - Pr [^-so-Zdea/ = j] | € neg | (A) 

where the games ind-so-real and ind-so-ideal are defined as follows. 


IND-SO-CPA (Real) 

IND-SO-CPA (Ideal) 

m = (mi, . . . , m„) -3- M 

m = (mi, . . . , m„) 4- M 

ri, . . . ,r„ 4- coins(-E) 

n, . . . ,r n 4- coins(E) 

(7, st) 4- Ai(pk,E{mi,n) 

,... (7, st) 4- Ai(pk,E(m 1 ,r i ),...,E{m n ,r„)) 

. .., E(m„ 

,r„)) m' = (rn' 1 ,...,m' rl )^Af |7 , m[/] 

b^A 2 (st, (m<,n)» 6 r,rn) 

6 4- A 2 (st, (mi, ri)i£i, m') 


In the real game, the challenger samples m = (mi, . . . ,m n ) <— M., chooses 
n,...,r n <— coins(-E) and sends (E(m\, ri), . . . , E(m n , r n )) to A who responds 
with a subset I C {l,...,n} and obtains {ri}i^i as well as the entire vector 
m = (mi, . . . , m„). Finally, A outputs a bit b £ {0, 1}. 

In the ideal game, the challenger also samples m = (mi,...,m„) <— M., 
chooses n,. . . ,r n <— coins(-E) and sends (E(mi,ri), . . . ,E(m n ,r n )) to A. The 
latter chooses a subset I C {1, . . . , n} and obtains The only difference 

w.r.t. the real game is that, instead of revealing m, the challenger samples a new 
vector m' «— M\r. m [r] and sends m' to A. Eventually, A outputs a bitb £ {0, 1}. 

This definition of IND-SO-CPA security (taken from U) does not allow the 
message distribution M. to depend on the public key. However, all our proofs 
(as well as the proof that Lossy Encryption is IND-SO-CPA secure in m go 
through essentially unchanged if M. is allowed to depend on the public-key of 
the scheme. For consistency, we continue to use the definition of |j}. . 
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2.2 Lossy Encryption 

Bellare et al. j5j define Lossy Encryption, expanding on the definitions of Dual- 
Mode Encryption HU and Meaningful/Meaningless Encryption [22J ■ A ‘lossy’ 
(or ‘messy’ in the terminology of HU) cryptosystem has two types of public keys 
which specify two different modes of operation. In the normal mode, encryption 
is injective, while in the lossy (or ‘messy’) mode, the ciphertexts generated by 
the encryption algorithm are independent of the plaintext. We also require that 
no efficient adversary can distinguish normal keys from lossy keys. Bellare et 
al. |2| introduce a property called openability, which allows a possibly inefficient 
algorithm to open a ciphertext generated under a lossy key to any plaintext. 

Definition 2. A lossy public-key cryptosystem is a tuple ( G , E, D) such that 

• G(l A ,inj) outputs keys ( pk,sk ) which are called injective keys. 

• G(1 A , lossy) outputs keys (pk\ 0SSy ,sk\ 0SSy ) which are called lossy keys. 
Additionally, ( G , E, D ) are efficient algorithms satisfying these properties: 

1. We have Pr[(pfc, sk) G(1 A , inj); r coins(E) : D(sk, E(pk, x, r)) = x] = 1 
for all plaintexts x £ X. This property is called correctness on injective keys. 

2. Indistinguishability of keys. In lossy mode, public keys are computationally 
indistinguishable from those in the injective mode. If proj : ( pk,sk ) i— > pk is 
the projection map, then {proj(G(l A ), inj)} « c {proj(G(l A , lossy))}. 

3. Lossiness of lossy keys. If ( pk \ ossy , sk\ ossy ) G( 1 A , lossy), for all Xq,Xi £ X, 

the distributions E(pk\ ossy , xq, R) and E(pk\ ossy ,xi,R) are statistically close. 

4- Openability. If(pk\ ossy , sk\ OSS y) <— G(1 A , lossy), and r coins(E), then for all 
xq,x\ £ X with overwhelming probability, there exists r' £ coins(E) such that 
E(pk\ ossy , Xo,r) = E(pk lo ssy,xi,r'). Hence, there is an unbounded algorithm 
opener that can open a lossy ciphertext to any plaintext. 

Although openability is implied by property (3), it is convenient to state it ex- 
plicitly in terms of an algorithm. In [2j , it was shown that, if the algorithm opener 
is efficient, then the encryption scheme is actually SEM-SO-CPA secure. We do 
not explicitly require schemes to be IND-CPA secure since semantic security fol- 
lows from the indistinguishability of keys and lossiness of the lossy keys. In [5j , 
it was shown that the IND-CPA secure cryptosystem based on Lossy Trapdoor 
Functions given in S3, is in fact a Lossy Encryption. Next, they proved that any 
Lossy Encryption scheme where the plaintext space admits a n-message sampler 
with efficient resampling is IND-SO-CPA secure. 

3 Constructing Lossy Encryption Schemes 

3.1 Re-Randomizable Encryption Implies Lossy Encryption 

In many cryptosystems, given a ciphertext c and a public-key, it is possible to re- 
randomize c to a new ciphertext d such that c and d encrypt the same plaintext 
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but are statistically independent. We call a public key cryptosystem given by 
algorithms (G, E, D) statistically re-randomizabl£\ if 

• (G, E, D) is semantically-secure in the standard sense (IND-CPA). 

• There is negligible function v , and an efficient function ReRand such that for 

all A, pk, m, r\ we have A({ro coins(.E) : E(pk, m , ro)},{r' coins(ReRand) : 

ReRand(-E(pfc,m,n),* / )}) < v(A). 

Since re-randomization does not require any kind of group structure on the plain- 
text space or any method for combining ciphertexts, re-randomizable encryption 
appears to be a weaker primitive than homomorphic encryption, and all known 
homomorphic cryptosystems are re-randomizable. 

Our first result is a simple lossy encryption system (Gi n j, G| ossy , E, D) obtained 
from a statistically re-randomizable public-key cryptosystem ( G,E,D ). 

• Key Generation: first, G(1 A , inj) generates {pk, sk ) <— G(1 A ). Then, it picks 

r 0 ,ri coins(-E), computes eo = E{pk,0,ro), = E{pk, l,n) and returns 

( pk,sk ) = ((pk, eo, ei), sk). Algorithm G(1 A , lossy) runs G(1 A ), generating a 
pair (pk, sk). Then, it picks ro, rq <— coins(T) and generates eo = E(pk, 0, ro), 
e\ = E(pk,Q,r\). It returns (pk,sk) = ((pk, eo, ei), sk). 

• Encryption: E(pk,b,r') = ReRand(pfc, e*,, r') for b 6 {0,1}. 

• Decryption D(sk,c), simply outputs D(sk,c). 

It is not hard to show that this construction is a lossy encryption scheme, 
as formally proved in the full version of the paper. Although it only allows 
encrypting single bits, it can be easily modified to encrypt longer messages 
if the underlying cryptosystem is homomorphic and if the set of encryptions 
of zero can be almost uniformly sampled (the details are available in the full 
paper). 

We also note that specific homomorphic cryptosystems such as Paillier |2H| 
or Damgard-Jurik \‘2i )j provide more efficient constructions where multi-bit mes- 
sages can be encrypted. In addition, as shown in the full version of the paper, the 
factorization of the modulus N provides a means for efficiently opening a lossy 
ciphertext to any plaintext. Thus this scheme is actually SEM-SO-CPA secure 
when instantiated with these cryptosystems. This provides the most efficient 
known examples of SEM-SO-CPA secure cryptosystems. Previously, the most 
efficient known SEM-SO-CPA secure construction was the Goldwasser-Micali 
cryptosystem which can only encrypt single bits. 


1 This definition of re-randomizable encryption requires statistical re-randomization. 
It is possible to define re-randomizable encryption which satisfies perfect re- 
randomization (stronger) or computational re-randomization (weaker). Such defini- 
tions already exist in the literature (see for example |-10l'/ l ol'/ l !)ll4p . Our constructions 
require statistical re-randomization, and do not go through under a computational 
re-randomization assumption. 
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3.2 Statistically-Hiding (^)-OT Implies Lossy Encryption 

Honest-receiver two-round statistically- hiding Q -oblivious transfer is a protocol 
between a sender Sen and a receiver Rec = ( Rec, . Rec. r ). The former has two 
strings so, si and the latter has a bit b. The receiver Rec, generates a query q, 
which is sent to Sen, along with some state information sk. The sender evaluates 
q(so, si) and sends the result rsp = Sen(q, s o, si) to Rec r who uses sk to get s&. 

• Correctness: For all so, Si G {0, l} fc , b G {0, 1}, there exists v G negl(A) s.t. 
Pr[(q, sk) -3- Rec,(l A , 6); rsp -3- Sen(q, s 0 , si) : Rec r (sk, rsp) = sj] > 1 — i/(A). 

• Receiver Privacy: b remains computationally hidden from Sen’s view. That 
is, we must have {(q,sfc) -h- Rec g (l A ,0) : q} « c {(q,sfc) r- Rec g (l A ,l) : q}, 
where the distributions are taken over the internal randomness of Rec,. 

• Sender Privacy: for any b G {0,1}, for any strings So, Si , s' 0 . s} such that 
Sb = s' b and any honest receiver’s query q = Rec g (l A , 6), it must hold that 

{(q, sk) Rec g (l A , 6); rsp -3- Sen(q, s 0 , si) : rsp} 

w s {(q, sk) Rec 9 (l A , 6); rsp Sen(q, s' 0 , s}) : rsp}, 
the distributions being taken over the internal randomness of Rec q and Sen. 
A two-round honest-receiver statistically-hiding Q-OT (Sen, Rec) gives a 
lossy encryption as follows: 

• Key Generation: Define G(1 A , inj) = Rec g (l A ,0). Set pk = q, and sk = sk. 
Define G(1 A , lossy) = Rec 9 (l A , 1). Set pk = q, and sk = _L. 

• Encryption: Define E(pk, m, (r, r*)) = Sen(q, m, r; r*), where r* is the ran- 
domness used in Sen(q, m,r) and r <— {0, l}l m l is a random string. 

• Decryption: given c= rsp in injective mode, define D(sk, rsp) = Rec r (sA;, rsp). 
Lemma 1. The scheme ( G,E,D ) forms a lossy encryption scheme. 

The (straightforward) proof of Lemma Q] can be found in the full version 
of this paper. Since single-server Private Information Retrieval (PIR) implies 
statistically-hiding OT inn, we find the following corollary. 

Corollary 1. One-round, Single-Server PIR implies Lossy Encryption. 

Since homomorphic encryption implies PIR f3M35j . the following result follows. 
Corollary 2. Homomorphic encryption implies Lossy Encryption. 

In the half simulation model, statistically hiding (})-OT can rely [3QI2filj on 
smooth hash proof systems that fit a slight modification of the original defini- 
tion m with suitable verifiability properties. In the honest-but-curious receiver 
setting (which suffices here), it was already noted in |2S1 [Section 1.3] that ordi- 
nary hash proof systems are sufficient to realize (^)-OT. In the full version of 
the paper, we describe a simplification of the construction of lossy encryption 
from hash proof systems and obtain the next result. 
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Corollary 3. Smooth projective hash functions imply Lossy Encryption. 

To summarize this section, since lossy encryption is selective-opening secure, we 
obtain the following theorem. 

Theorem 1. Statistically-hiding 2-round honest-receiver (fy-OT, single server 
PIR, smooth projective hash proof systems and homomorphic encryption all im- 
ply IND-SO-CPA secure encryption. 


4 Chosen-Ciphertext Security 

When an adversary has access to a decryption oracle, many cryptosystems be- 
come insecure. The notion of chosen-ciphertext security |3XI43ll9j was created 
to address this issue and, since then, many schemes have achieved this security 
level. The attacks of Bleichenbacher on RSA PKCS#1 0 emphasized the im- 
portance of security against chosen-ciphertext attacks (CCA). 

The need for selective opening security was first recognized in the context 
of Multi-Party Computation (MPC), where an active MPC adversary can view 
all ciphertexts sent in a current round and then choose a subset of senders to 
corrupt. It is natural to imagine an adversary who, in addition to corrupting a 
subset of senders, can also mount a chosen-ciphertext attack against the receiver. 
Schemes proposed so far (based on re-randomizable encryption or described in 
|5!) are obviously insecure in this scenario. 

In this section, we extend the notion of chosen-ciphertext security to the selec- 
tive opening setting. As in the standard selective-opening setting, we can define 
security either by indistinguishability, or by simulatability. We will give defini- 
tions of security as well as constructions for both settings. 

Classical techniques to acquire chosen-ciphertext security are delicate to use 
here. Handling decryption queries using the Naor-Yung paradigm (5Hj and non- 
interactive zero-knowledge proofs M is not straightforward as, when the adver- 
sary makes her corruption query, it should obtain the random coins that were 
used to produce NIZK proofs. Fehr, Hofheinz, Kiltz and Wee m showed how 
to use non-committing encryption m along with a modified hash proof sys- 
tem m to achieve chosen-ciphertext security in the selective opening setting 
in the simulation-based model (SEM-SO-CCA). Our work takes a different ap- 
proach and seeks to apply the Canetti-Halevi-Katz paradigm m As we shall 
see, adapting this methodology to the selective opening setting encounters a 
number of technical obstacles that need to be overcome. 


4.1 Chosen-Ciphertext Security: Indistinguishability 

We begin with the indistinguishability-based definition. We define a real game 
(ind-cca2-real) and an ideal game (ind-cca2-ideal). In both games, the challenger 
generates a key pair ( sk,pk ) <— G(1 A ) and sends pk to A. The adversary is then 
allowed to adaptively make the following types of queries. 
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• Challenge Query: let M. be a message sampler. The latter samples a vec- 
tor m = <— M. and returns a vector containing n “target” 

ciphertexts C = (C [1] , . . . , C[n]) *— ( E(pk , mi, ri), . . . , E(pk,m n , r n )). 

• Corrupt Query: A chooses I C {1, . . . ,n} and receives {(to.;, 

• In ind-cca2-real, the challenger then sends {m,}^/ to the adversary. 

• In ind-cca2-ideal, the challenger re-samples m' = (m \ . . . . , m' n ) M.\i t ra[i\ 
(i.e., so that m'- = nij for each j G I) and sends {m!j}j^i to A. 

• Decryption Queries: A chooses a ciphertext C such that C C[i] for each 
i S {l,...,n} and sends C to the challenger which responds with D(sk, C ). 

After polynomially-many queries, one of which is a challenge query and precedes 
the corrupt query (which is unique as well), the adversary outputs b G {0,1}. 


Definition 3. A public key cryptosystem is IND-SO-CCA2 secure if, for any 
polynomial n and any n-message sampler M. supporting efficient conditional re- 
sampling, any PPT adversary A has negligibly different outputs in the real game 
and in the ideal game: for some negligible function v, we must have 


|Pr [A 


ind-cca2-real 


1] — p r ^ind-cca2-ideal = l] I < za 


4.2 Chameleon Hash Functions 

A chameleon hash function |2U CMA = (CMKg, CMhash, CMswitch) consists 
of an algorithm CMKg that, given a security parameter A, outputs a key pair 
( hk , tk ) <— G( A). The hashing algorithm outputs y = CMhash(/ifc, m, r ) given the 
public key hk, a message to and random coins r G IZha.sh- On input of m,r,m' 
and the trapdoor key tk, the switching algorithm r' <— CMswitch(tfc, m, r, m') 
outputs r' G IZhash such that CMhash(hfc,TO, r) = CMhash(hfc,TO , ,r / ). Collision- 
resistance mandates that it be infeasible to find pairs (to', r') ^ (to, r) such that 
CMhash(hfc, to, r) = CMhash(/ifc, rn' , r') without knowing tk. Uniformity guaran- 
tees that the distribution of hashes is independent of the message to, in particu- 
lar, for all hk, and to, to', the distributions {r «— TZ hash ■ CMHash(/tfc, rn, r)} and 
{r *— IZhash '■ CMHash(/ifc, rn' , r)} are identical. It is well-known that chameleon 
hashing can be based on standard number theoretic assumptions. 


4.3 A Special Use of the Canetti-Halevi-Katz Paradigm 

The Canetti-Halevi-Katz technique El allows building chosen-ciphertext se- 
cure cryptosystems from weakly secure identity-based or tag-based encryption 
scheme. A tag-based encryption scheme (TBE) j.'ifil.'i 1 j is a cryptosystem where 
the encryption and decryption algorithms take an additional input, named the 
tag, which is a binary string of appropriate length with no particular structure. 
A TBE scheme consists of a triple 7®E = (TBEKg, TBEEnc, TBEDec) of efficient 
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algorithms where, on input of a security parameter A, TBEKg outputs a pri- 
vate/public key pair ( pk,sk ); TBEEnc is a randomized algorithm that outputs 
a ciphertext C on input of a public key pk, a string 9 - called tag - and a mes- 
sage m e MsgSp(A); TBEDecf.sfc, 0, C) is the decryption algorithm that takes as 
input a secret key sk, a tag 6 and a ciphertext C and returns a plaintext m or 
_L. Associated with TU'E is a plaintext space MsgSp. Correctness requires that 
for all A G N, all key pairs (pk, sk) <— TBEKg(l A ), all tags 8 and any plaintext 
m € MsgSp(A), it holds that TBEDec(sfc, 8, TBEEnc(pfc, 9, M)) = m. 

Selective Opening Security for TBE Schemes. In the selective opening 
setting, the weak CCA2 security definition of m can be extended as follows. 

Definition 4. A TBE scheme TB'E = (TBEKg, TBEEnc, TBEDec) is selective- 
tag weakly IND-SO-CCA2 secure (or IND-SO-stag-wCCA2 secure) if, for any 
polynomial n and any n-message sampler M supporting efficient conditional re- 
sampling, any PPT adversary A produces negligibly different outputs in the real 
and ideal games, which are defined as follows. 

1. The adversary A chooses n tags 9 \ , . . . , 9* and sends them to the challenger. 

2. The challenger generates a key pair ( sk,pk ) <— TKEKg(l A ) and hands pk to 
A. The latter then adaptively makes the following kinds of queries: 

• Challenge Query: let M be a message sampler for MsgSp(A). The chal- 
lenger samples (mi , . . . , m n ) M and returns C = (C[l], . . . ,C[n]), 
where C[i] = TBEEnc(pA;, 9*,nii, rf) 

• Corrupt Query: A chooses I C {1, . . . ,n} and obtains {(mj, rj)}j e /. 

- In the real game, the challenger then sends {mj}j$i to the adversary. 

- In the ideal game, the challenger re-samples (■ m ! x , . . . , m' n ) y\/f| / m p] 
and reveals 

• Decryption Queries: A sends a pair ( C , 9) such that 9 {9 \, . . . , 0* } . 

The challenger replies with TBEDec (sk,9,C) S MsgSp(A) U {±}. 

After polynomially-many queries, one of which is a challenge query, A outputs 
be {0, 1}. Its advantage Adv™ D " so ' stag ' wCCA2 (A) is defined as in definition 0 

At first, one may hope to obtain IND-SO-CCA2 security by applying the CHK 
method HH to any IBE/TBE scheme satisfying some weaker level of selective 
opening security. Let TB'E = (TBEKg, TBEEnc, TBEDec) be a secure TBE scheme 
in the sense of definition 0 and let E = (Q, S, V) be a strong one-time signature. 
The CHK technique turns 1 t B r E into a cryptosystem EEJE = (G, E, D) which is 
obtained by letting G(1 A ) output (sk', (E,pk')) where (sk',pk') <— TBEKg(l A ). 
To encrypt a message m, E generates a one-time signature key pair (SK, VK) <— 
Q( 1 A ), computes C t be = TBEEnc(p/c, VK, rn) under the tag VK and sets the 
ciphertext as (VK, C t b e , c), where a = <S(SK, C t be)- 

In the selective opening setting, when the adversary makes its corruption 
query in the reduction, it must obtain the random coins that were used to gen- 
erate one-time signature keys appearing target ciphertexts. Then, it is able to 
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re-compute the corresponding private keys and make decryption queries for ci- 
phertexts involving the same verification keys as target ciphertexts, which causes 
the reduction to fail. Although schemes using one-time signatures do not appear 
to become trivially insecure, the reduction of jlliaij ceases to go through. 

It was showed in US] that chameleon hash functions m can be used to 
turn certain TBE schemes, termed separable, into full-fledged IND-CCA2 cryp- 
tosytems and supersede one-time signatures in the CHK transform. A TBE 
scheme is said separable if, on input of pk, m, 6 , algorithm TBEEnc(pA;, t, m) uses 
randomness r £ E-tbe and returns C t b e = {fi(pk,m,r), f 2 (pk,r), fs(pk,0,r)), 
where functions /i, f 2 and are computed independently of each other and are 
all deterministic (so that they give the same outputs when queried twice on the 
same (m, r), r and (6, r)). In addition, f 2 must be injective. 

The construction of fWM uses chameleon hashing instead of one-time sig- 
natures. Key generation requires to create a TBE key pair ( pk',sk ') and a 
chameleon hashing public key hk. The private key of ‘P'K’E is the TBE private 
key sk'. Encryption and decryption procedures are depicted hereafter. 


E(jn,pk) 

Parse pk as ( pk ' , hk) 
ri <— TZtbe', r 2 <— TZ-hash 
u = fi(pk' ,m,n); v = f 2 (pk',n) 
6 = CMUasb{hk,u\\v,r 2 ) 
w = f 3 (pk , ,e,r 1 ) 

Return G = ( u , v, w, r 2 ) 


D(sk, C) 

Parse C as (u,v,w,r 2 ) and sk as sk' 
8 = CMhash(/ifc, u||n, r 2 ) 

Return m <— TBEDec(sfc', 9, ( u , v, w)) 


Unlike the CHK transform, this construction computes C without using any 
other secret random coins than those of the underlying TBE ciphertext. The tag 
is derived from a ciphertext component u and some independent randomness r 2 
that publicly appears in C. For this reason, we can hope to avoid the difficulty 
that appears with the CHK transform. Indeed, we prove that any separable TBE 
that satisfies definition 0] yields an IND-SO-CCA2 cryptosystem. 

Theorem 2. If r EB'E = (TBEKg, TBEEnc, TBEDec) is a separable TBE scheme 
with IND-SO-stag-wCCA2 security, the transformation of figure ?? gives an 
IND-SO-CCA2 PKE scheme. (The proof is given in the full version of the paper). 


4.4 Lossy and All-But-n Trapdoor Functions 

A tuple (Sitdf, -Pltdf, -Pitdf) °f PPT algorithms is called a family of (d,k)- lossy 
trapdoor functions m ^ the following properties hold: 

2 As described in gJJ, the construction uses a single function F instead of fi and f 2 
( i.e ., we are re-writing it in the particular case F(m,r) = (fi{pk,m,r), f 2 (pk,r))). 
The security proof of implicitly requires F to be such that no two pairs (m, r) 
(m' , r') give F(m, r) = F(m', r'). Using functions fi, f 2 is a way to enforce this. 
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Sampling injective functions: <Sitdf(l A , 1) outputs (s, f), where s is a function 
index and t its trapdoor. It is required that -Fitdf(s> •) be injective on {0, l} d 
and Fj t df (s, x)) = x for all x. 

Sampling lossy functions: Sitdf(l A > 0) outputs (s, _L) where s is a function 
index and -Fi t df(s, •) is a function on {0, l} d with image size at most 2 d ~ k . 

Indistinguishability: {( s,t ) -S'itdf(l A , 1) : s} « e {(s, _L) Sitdf(l A ,0) : s}. 

Along with lossy trapdoor functions, Peikert and Waters m defined all-but-one 
(ABO) functions. These are lossy trapdoor functions, except instead of having 
two branches (a lossy branch and an injective branch) they have many branches 
coming from a branch set B, all but one of which are injective. 

The Peikert- Waters system only requires ABO functions to have one lossy 
branch because the IND-CCA2 game involves a single challenge ciphertext and 
a single ABO function must be evaluated on a lossy branch. Since the IND- 
SO-CCA security game involves n > 1 challenge ciphertexts, we need to gen- 
eralize ABO functions into all-but-n (ABN) functions that have multiple lossy 
branches and where all branches except the specified ones are injective. A tuple 
(Sabn, G a bn , G^J is a family of ABN functions if these conditions are satisfied. 

• Sampling with a given lossy set: For any n-subset I C B, 5 a bn(l A ,-0 
outputs s, t where s is a function index, and t its trapdoor. We require that 
for any b £ B\I, G a i m (s. b, •) is an injective deterministic function on {0, l} d , 
and G~^ n (t,b,G a bn(s,b,x)) = x for all x. Additionally, for each b £ I, the 
image G a bn(s, b, ■) has size at most 2 d ~ k . 

• Hidden lossy sets: For any distinct n-subsets I ( * , /* C B, the first outputs 
of S , a bn(l A ,^o) and S' a b n (l A , d() are computationally indistinguishable. 

Just as ABO functions can be obtained from lossy trapdoor functions , ABN 
functions can also be constructed from LTDFs and a general construction is 
provided in the full version of the paper. The recent results of Hofheinz I2S|, 
show how to create All-But-Many Lossy Functions, which are Lossy Trapdoor 
Functions with a super-polynomial number of lossy branches. The advantage 
of his construction is that the description of the function is independent of N. 
Hofheinz’s All-But-Many functions can be plugged into our constructions to 
shrink the size of the public-key in our constructions (see [SI for details). 

4.5 An IND-SO-stag-wCCA2 TBE Construction 

We construct IND-SO-stag-wCCA2 tag-based cryptosystems from lossy trap- 
door functions. Let (CMKg, CMhash, CMswitch) be a chameleon hash function 
where CMhash ranges over the set of branches B of the ABN family. We even- 
tually obtain an IND-SO-CCA2 public key encryption scheme as a LTDF-based 
construction that mimics the one ^2| (i n its IND-CCA1 variant). 

Let (Sitdf) -Pitdf , -fitdf) be a family of (d. fc)-lossy-trapdoor functions, and let 
(Sabn, G a bn, G^ n ) be a family of (d, k') all-but-n functions with branch set 
{0, l} 1 ' where v is the length of a verification key for a one-time signature. We 
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require that 2d — k — k' < t — k, for k = n(t) = w(logi). Let H be a pairwise 
independent hash family from {0, l} d — > {0, 1}^, with 0 < l < k — 21og(l/^), for 
some negligible v = o(\). The message space will be MsgSp = {0, 1 Y- 

• TBEKg(l A ): choose h TL in the pairwise independent hash family and 

generate ( s,t ) *— ( s' ,t ') <— S , a bn(l A ) {0, 1, . . . , n — 1}). The 

public key will be pk = ( s , s', h ) and the secret key will be sk = (t, if). 

• TBEEnc(m,pfc, 9): to encrypt m £ {0, 1 } e under the tag 9 € B, choose x 
{0, l} d . Compute Co = h(x) ® m, c\ = -Pi t df(s, x) and C2 = GabnCs,^,^) and 
the TBE ciphertext is C = (co,ci,C2) = ( h(x)®m , Fi t df(s,a;), G^nis' ,9, x)). 

• TBEDec(C, sk, 9): given C = (co, cj, C2) and sk = t, compute x — Cl ) 

and rn = co ® h(x) if G a \ m (s. 6. x) = c 2. Otherwise, output _L. 

The scheme is separable since C is obtained as co = fi (pk, rn, x) = to ® h(x), 
ci = f 2 (pk,x) = F ltd{ (s,x) and c 2 = h{pk,9, x) = G ahn (s' ,0,x). 

Theorem 3. The algorithms described, above form an IND-SO-stag-wCCA2 se- 
cure tag-based cryptosystem assuming the security of the lossy and all-but-n 
families. (The proof is given in the full version of the paper) . 

4.6 An All-But-n Function with Short Outputs 

While generic, the all-but-n function described in the full version of the paper 
has the disadvantage of long outputs, the size of which is proportional to nk. 
Efficient all-but-one functions can be based on the Composite Residuosity as- 
sumption C'il.'ij . We show that the all-but-one function of \T2l'X\ extends into an 
ABN function that retains short (i.e., independent of n or k) outputs. Multi- 
ple lossy branches can be obtained using a technique that traces back to the 
work of Chatterjee and Sarkar [E| who used it in the context of identity-based 
encryption. 

• Sampling with a given lossy set: given a security parameter A £ N 
and the desired lossy set I = {9i , . . . , 9*}, where 9* £ {0, 1} A for each i £ 
{1, . . . , n}, let 7 > 4 be a polynomial in A. 

1. Choose random primes p, q s.t. N = pq> 2 A . 

2. Generate a vector U £ (Z^ T+1 ) n+1 as follows. Let a n - 1 , . . . , a d £ Zjvt be 

coefficients of P[T] = n[Li (T- 9*) =T n + + ■ ■ • + aiT+ a 0 in 

Zjv 7[T] (note that P[T] is expanded in Z N ~, but its roots are all in Z) v ). 
Then, for each i € {0, . . . , n}, set C7* = (1 + N) ai a!f'' mod iV 7+1 , where 
( ao , . . . , a „ ) (Z^) n+1 and with a n = 1. 

3. The evaluation key is s' = {N,U = (Uo, , U n )} and the domain of the 
function is {0, ... , 2 tA / 2 - 1}. The trapdoor is if = lcm(p — 1, q — 1). 

• Evaluation: to evaluate G a b n (s / , 6, x), where x £ {0,...,2 7A / 2 - 1} and 
9 £ {0, 1} A , compute c = ( n^=o ^ m ° d JV7 ^) X mod iV 7+1 . 
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• Inversion: for a branch 9, c= G A \ m (s' , 9, x) is a Damgard-Jurik encryption 
of y = P(9)x mod IV 7 . Using t' = lcm (p — 1, q — 1), we apply the decryption 
algorithm of m to obtain y £ Zjvt and return x = yP(9) 1 mod AT 7 . 

As in (220, G a bn(s / ) 9, •) has image size smaller than N when 9 £ I and it can 
be shown that H 00 [x\(G a .b n (s',9,x),N,U)) > 7A/2 — log(Af). 

We note that the ABN function Gabn^ 7 , 9. •) is not injective for each branch 
9 0 /, but only for those such that gcd(P(0), iV 7 ) = 1. However, the fraction of 
branches 9 £ {0, 1} A such that gcd(P(0), TV 7 ) ^ 1 is bounded by 2/ min (p,q), 
which is negligible. Moreover, the proof of theorem |2I is not affected if the TBE 
scheme is instantiated with this ABN function and the LTDF of 1220 ■ As ex- 
plained in the full version of the paper, as long as factoring is hard (which is 
implied by the Composite Residuosity assumption), the adversary has negligible 
chance of making decryption queries w.r.t. to such a problematic tag 9. 

Lemma 2. The above ABN function is lossy set hiding under the Composite 
Residuosity assumption. (The proof is given in the full version of the paper) . 

The above ABN function yields an IND-SO-CCA2 secure encryption scheme 
with ciphertexts of constant (be., independent of n ) size but a public key of size 
O(n). Encryption and decryption require 0(n) exponentiations as they entail an 
ABN evaluation. On the other hand, the private key has 0(1) size, which keeps 
the private storage very cheap. At the expense of sacrificing the short private key 
size, we can optimize the decryption algorithm by computing x = G“ b 1 a (f', 9, C2) 
(instead of x = F lt(I l f (f, ci)) so as to avoid computing G A \ in (s', 9, x) in the forward 
direction to check the validity of ciphertexts. In this case, the receiver has to store 
ao, . . . , a n - 1 to evaluate P(9) when inverting G a b n - 

It is also possible to extend the DDH-based ABO function described in m 
into an ABN function. However, in the full version of the paper, we describe a 
more efficient lossy TBE scheme based on the DDH assumption. 
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Abstract. In this paper we present the first CCA-secure public key en- 
cryption scheme that is structure preserving, i.e., our encryption scheme 
uses only algebraic operations. In particular, it does not use hash- 
functions or interpret group elements as bit-strings. This makes our 
scheme a perfect building block for cryptographic protocols where parties 
for instance want to prove properties about ciphertexts to each other or 
to jointly compute ciphertexts. Our scheme is very efficient and is secure 
against adaptive chosen ciphertext attacks. 

We also provide a few example protocols for which our scheme is use- 
ful. For instance, we present an efficient protocol for two parties, Alice 
and Bob, that allows them to jointly encrypt a given function of their 
respective secret inputs such that only Bob learns the resulting cipher- 
text, yet they are both ensured of the computation’s correctness. This 
protocol serves as a building block for our second contribution which is a 
set of protocols that implement the concept of so-called oblivious trusted 
third parties. This concept has been proposed before, but no concrete re- 
alization was known. 

Keywords: public-key encryption, structure preserving, oblivious trusted 
third party. 

1 Introduction 

Public key encryption and signature schemes have become indispensable build- 
ing blocks for cryptographic protocols such as anonymous credential schemes, 
group signatures, anonymous voting schemes, and e-cash systems. In the design 
of such protocols, it is often necessary that one party be able to prove to an- 
other that it has correctly signed or encrypted a message without revealing the 
message and its signature or encryption. An efficient implementation of such 
proofs is possible if the signature and encryption schemes allows one to employ 
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generalized Schnorr D3 or Groth-Sahai proofs jZH. In the design of suitable 
signature and encryption schemes one should therefore stay within the realm of 
algebraic groups and not break the algebraic structures, for instance, by using 
hash-functions in an essential way. 

When it comes to signature schemes, a designer can pick from a number of 
schemes that are suitable (e.g., f 1 5151 1 1 ) . For encryption schemes secure against 
adaptive chosen ciphertext attack (CCA) the situation is quite different. Two 
schemes that are somewhat suitable are the Camenisch-Shoup and the Cramer- 
Shoup encryption schemes [711 8j . allowing for the verifiable encryption (and 
decryption) of discrete logarithms and group elements, respectively. Both these 
schemes make use of a cryptographic hash function to achieve security against 
chosen ciphertext attacks. These hash functions, unfortunately, prevent one from 
efficiently proving relations between the input and output of the encryption 
procedure. Such proofs, however, are an important feature in many advanced 
protocols. They are for instance required when two parties are to jointly encrypt 
(a function of) their respective inputs without revealing them or when a user is 
to prove knowledge of a ciphertext, e.g., as a part of a proof of knowledge of a 
leakage-resilient signature |221!j()j (proving knowledge of a signature is a central 
tool in privacy-preserving protocols which so far is not possible for leakage- 
resilient signatures). 

In this paper we present the first efficient structure preserving CCA secure 
encryption scheme. The term “structure-preserving” is borrowed from the notion 
of structure-preserving digital signatures Q. An encryption scheme is called 
structure- preserving if its public keys, messages (plaintexts), and ciphertexts 
are group elements and the encryption and decryption algorithm consists only 
of group and pairing operations. We achieve structure preserving encryption by 
a novel implementation of the consistency check that ensures security against 
chosen ciphertext attacks. More precisely, we implement the consistency checks 
using a bilinear map between algebraic groups and embed all other ciphertext 
components in the pre-image group of that map. Our ciphertext consistency 
element (s) could be either one element in the target group or several group 
elements in the pre-image group. The former gives better efficiency, whereas 
the latter can be used in more scenarios, in particular those making use of 
Groth-Sahai proofs EH- We prove our encryption scheme secure against chosen 
ciphertext attacks under the decisional linear assumption 0. Our encryption 
scheme and protocols also support so-called labels jZj which are public messages 
attached to a ciphertext and are important in the scenario we consider in this 
paper to bind a decryption policy to the ciphertext. 

Our new encryption scheme is well suited to build a variety of protocols. 
For instance, with our scheme the following protocol problems can be addressed 
which are common stumbling stones when designing advanced cryptographic 
protocols: 

— Our scheme can be used in the construction of leakage-resilient signatures m 
which will then enable, for the first time, a user to efficiently prove knowledge 
of a leakage-resilient signature. 
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— A user, who is given a ciphertext and a Groth-Sahai proof that the cipher- 
text was correctly computed, is able to prove to a third party that it is in 
possession of such a ciphertext without revealing it. 

— Two users can jointly compute a ciphertext (of a function) of two plaintexts 
such that neither party learns the plain text of the other party and only one 
of the parties learns the ciphertext. 

The last problem typically appears in protocols that do some kind of conflict 
resolution via a trusted third party. Examples include anonymity lifting (re- 
vocation) in group signatures and in anonymous credential systems and 
optimistic fair exchange [2J. In these scenarios, there are typically two parties, 
say Alice and Bob, who run a protocol with each other and then provide each 
other with ciphertexts that can in case of a mishap (such as abuse of anonymity, 
conflict, unfair abortion of the protocol, etc.) be presented to a third party for 
resolution by decryption. Hereby, it is of course important that (1) the trusted 
third party be involved in case of mishap only and (2) the parties can con- 
vince each other that the ciphertexts indeed contain the right information. Note 
that CCA security is crucial here, as the trusted third party effectively acts as 
a decryption oracle. So far, protocol designers have used verifiable encryption, 
which unfortunately has the disadvantage that both parties learn the ciphertext 
of the other party. Hence, Alice could for instance take Bob’s ciphertext and 
bribe the TTP so that it would act normally for all decryption requests except 
when Bob’s ciphertext is presented in which case the TTP would just ignore the 
request. 

To address this problem Camenisch, Gross, and Heydt-Benjamin [EH propose 
the concept of oblivious trusted third parties ( OTP): here, such conflict resolution 
protocols are designed in such a way that the trusted third party is kept oblivious 
of the concrete instance of the conflict resolution protocol. This means if Bob 
goes to the TTP for resolution, he cannot possibly be discriminated as the TTP 
cannot tell whether it is contacted by Bob or some other person. Therefore, if the 
TTP would deny such requests too often, that would be known and so there is 
no reason for Bob to believe that the TTP will not resolve the conflict for him if 
need be. Unfortunately, Camenisch et al. only provide a high-level construction 
for such a protocol but do not present a concrete instantiation. Based on our 
new encryption scheme, we present the first concrete protocols that implement 
OTP. 

We prove all our protocols secure under composable simulation-based security 
definitions |lfiUI2.tl . 

Related Work. There is of course a lot of related work on encryption schemes, 
but our scheme is the first one that is structure preserving. Considering our 
second contribution, the protocols for oblivious trusted parties, the only related 
work is by Camenisch, Gross, and Heydt-Benjamin DU.- They introduced the 
concept of oblivious trusted third parties but, as we mentioned, do not provide 
any concrete protocol. 
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2 Structure Preserving Encryption 

In this section, we define the notion of structure-preserving encryption and 
present the first instantiation of such a scheme. The term “structure-preserving” 
is borrowed from the notion of structure-preserving digital signatures P, and, 
for encryption, represents the idea that ciphertexts are constructed purely using 
(bilinear) group operations. 

Note that the well known Cramer-Shoup 1 1 711 and Camenisch-Shoup [7j 
encryption schemes are not structure preserving as they make use of a crypto- 
graphic hash function. Even the hash-free variant of Cramer-Shoup is not struc- 
ture preserving; that is because its consistency check requires group elements 
to be interpreted as exponents, which is not a group operation. The details of 
a proof of knowledge of a hash-free ciphertext would depend on the group’s in- 
ternal structure, e.g., it might be based on so called double-discrete logarithm 
proofs R3|, which are bit-wise and thus much less efficient than standard discrete 
logarithm representation proofs. 

Definition 1. Structure Preserving Encryption. An encryption scheme is said 
to be structure-preserving if (1) its public keys, messages, and ciphertexts con- 
sist entirely of elements of a bilinear group, (2) its encryption and decryption 
algorithm perform only group and bilinear map operations, and (3) it is provably 
secure against chosen-ciphertext attacks. 

2.1 Basic Notation 

We work in a group G of prime order q generated by g and equipped with a 
non-degenerate efficiently computable bilinear map e : GxG-t G t- Also, 
recall the well-known DLIN assumption : 

Definition 2. Decisional Linear Assumption (DLIN). Let G be a group of prime 
order q. For randomly chosen gi,g 2 ,g 3 <— G and r,s,t<— 7L q , the following two 
distributions are computationally indistinguishable: 

(G,gi,g2, 93)91, 0|,st) ~ (G,9l,92i93,gxr92>93 +9 ) ■ 

2.2 Construction 

We construct a structure-preserving encryption scheme secure under DLIN. The 
scheme shares some similarities with the Cramer-Shoup encryption and with the 
Linear Cramer-Shoup encryption described by Shacham m, neither of which is 
structure- preserving (even for their hash- free variants). 

For simplicity, we describe the scheme when encrypting a message that is a 
single group element in G, but it is easily extended to encrypt vectors of group 
elements. The extension is presented in the full version of the paper. Also, our 
scheme supports labels. We consider the case when a label L is a single group 
element, but the scheme extends trivially for the case of a label which is a vector 
of group elements. Labels from the space {0, 1}* could be hashed to one or several 
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group elements, though in such cases they have to be part of the statement rather 
than the witness for any NIZK proof. 

— KeyGen(l A ): Choose random group generators gi,gi,gs *— G*. For ran- 
domly chosen ol *— Z^, set h\ = g'? 1 g'3 1 and /12 = g % 2 9 % 3 • Then, select 
/3 0 ,...,/3 5 <- and compute f ijX = g x iA g^' 3 , fi, 2 = g^g^’ 3 , for i = 
0, . . . , 5. Output pk = {gi,g2,g3,hi,h 2 ,{fi,i,fi,2}i=o) and sk = (a,{/3»}f =0 ). 

— Enc(pk, L, m): To encrypt a message rn with a label L, choose random r,s<— 
Z q and set 

Ml = g{, U 2 = 5 i 1 M3 = g r 3 +s , C=m ■ h x h 2 , 

3 

V = n Mi) • e(fUl 2 , c) • L ), 

i=0 

where uq = g. Output c = (u x ,U2,U3,c, v). 

— Dec(sk, L, c): Parse c as (ui , U2,'u,3, c, v). Then check whether 

v i e(uf s ' 1 uf‘’ 2 U3’’ 3 , Ui) ■ e(uf 4,1 U2 4,2 uf 4 ’ 3 , c) • e(uf 5,1 U2 5 ’ 2 uf 5 ' 3 , L), 
i= 0 

where uo = g. If the latter is unsuccessful, reject the ciphertext as invalid. 
Otherwise, output m = c - 

Note that the ciphertext c £ G 4 X Gt- Using the pairing randomization tech- 
niques of 0, v € Gt can be replaced by six random group elements vq. ... . vs G 
G for which the following equation holds: v = fX/Lo &{ v i> u i) 4 e(uj, c) • e[v^. L). 
This way, the ciphertext would consist only of elements in G. The modification 
is straightforward and is described in the full version of this paper [TT] . 


2.3 Correctness and Security 

To observe the correctness of the decryption, note that 
c- (u^u^u^y 1 = m ■ h x h 2 ■ ((^“‘(sir^+T 3 ) -1 

= rn- {g™ 1 gTY {g? 9TY ■ ((fi , D“ 1 (52)“ 2 (53 +S )“ 3 ) 1 = m - 

The correctness of the validity element v can be verified similarly. 

Next, we show the CCA security of the encryption scheme. Our security proof 
follows the high level idea of the Hash Proof System (HPS) paradigm Es- 
sentially, Lemma Q says the “proof” w, which is used as a one-time pad for 
the encryption of the message, has a corresponding HPS which is 1-universal, 
whereas Lemma El shows that the “proof” <p, which constitutes the consistency 
check element, has a corresponding HPS that is 2-universal. To make the proof 
below more accessible to readers unfamiliar with the HPS paradigm, we opt for 
a self-contained proof which can be easily translated into the HPS framework. 
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Theorem 1. If DLIN holds, the above public key encryption scheme is secure 
against chosen- ciphertext attacks (CCA). 

Proof sketch of Theorem Q- We proceed in a sequence of games. We start with a 
game where the challenger behaves like in the standard IND-CCA game (i.e., the 
challenge ciphertext is an encryption of mb, for a randomly chosen bit b, where 
mo, mi are messages given by the adversary), and end up with a game where the 
challenge ciphertext is an encryption of a message chosen uniformly at random 
from the message space. Then we show that all those games are computationally 
indistinguishable. Let W, denote the event that the adversary A outputs b' such 
that b = b' in Game i. 

Game 0. This is the standard IND-CCA game. Pr[Wo] = \ + Adv 4 (A). 

Game 1. For (mo, mi, A) chosen by the adversary, the challenge ciphertext 
c = ( u,c,v ) is computed using the “decryption procedure”, i.e., u\ = g\, 

o 7*-j-S Of\ OP2 l tt3 -*/ Pi, 1 Pi,2 Pi, 3 \ 

u 2 = g 2 , Us = g s , C = m b • u 1 1 u 2 3 u s 6 and v = H^o^i u 2 ' u 3 ' ,tx<) • 
e(u^u^ut\c) ■ e(uf 5,1 uf 5 ’ 2 uf 5 ’ 3 , L). The change is only syntactical, so the 
two games produce the same distributions. Pr\W{\ = Pr[Wo\. 

Game 2. The randomness vector u = (ui, U2,uz) of the challenge ciphertext is 
computed as non-DLIN tuple, i.e., u\ = g\, it 2 = g 2 , u ’i — 9s where r, s, t <— Z q 
and r + s ^ t. Game 1 and Game 2 are indistinguishable by DLIN. Therefore, 

| Pr[W 2 ) - Pr[Wi] | = negl(A). 

Game 3. First note that in the previous game, as well as in this one, any 
decryption query with “correct” ciphertext, i.e., which has a randomness vector 
a DLIN tuple, yields a unique plaintext. That is, regardless of the concrete choice 
of sk which matches pk seen by the adversary, such queries do not reveal any 
information about the secret key. 

In this game, unlike the previous one, any decryption query with “malformed” 
ciphertext, i.e, which has a non-DLIN randomness vector u, is rejected. Let’s 
consider two cases: 

— ( u,c,L) = [u , c, L) . Such decryption query is rejected because it is either the 
challenge ciphertext (when v = v) or the verification predicate fails trivially 
(when ii/r). So, this case is the same in Game 2 and Game 3. 

- (u, c, L) 7^ (u, c, L) . By LemmaEl such decryption query is rejected in Game 
2 with overwhelming probability, whereas in Game 3 it is always rejected. 

As the number of decryption queries is polynomial, | Pr[Wy — Pr [IF2] | = 
negl(A). 

Game 4. The challenge ciphertext encrypts a random message from the message 
space. Game 3 and Game 4 are (information theoretically) indistinguishable by 
Lemma [I] PrfWi] = Pr\W^\. 

In the last game, the challenger’s choice b is independent from the cipher- 
text, so Pr[W4] = |. Then, by the indistinguishability of the consecutive games 
Pr[Wa] = \ + negl(A), hence Adv' 4 (A) = negl(A). □ 
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Lemma Q] which we used in the above proof says that the one-time pad of the 
message, when computing the challenge ciphertext in Game 4, can be replaced 
by a random element. Whereas Lemma |21 shows that any decryption query with 
“malformed” ciphertext 'c is rejected with overwhelming probability because the 
adversary A can hardly do better than guess the correct validity element. 

For the formulation and proof of the lemmas, let gi,g2, i/3 <— G* and U\ = g\, 
u 2 = 51) u 3 = 53) where r,s,t are randomly chosen from Z q and r + s ^ t. And 
for convenience, denote z\ = dlog s (gi), Z2 = dlog s (<72), and Z3 = dlog g (g 3 ). 


Lemma 1 . For randomly chosen a <— Z q , let hi = g^g^ 3 , /12 = g^ 2 g 3 3 , and 
7r = u^u^u^ 3 . Then, for a randomly chosen ip *— G it is true that the following 
distributions are equivalent: (hi,h2,ir) = (hi,h2,ip). 


Proof sketch of Lemma 0 Note that hi = g a 1Z1 +“3Z3 an( j f l2 = ga 2 z2+a 3 z 3 
Then, for the tuple {hi, hi, if) the following equation holds: 

( zi 0 z 3 \ / aA /dlog fl (fti)\ 

0 2:2 z 3 0:2 = dlog g (h 2 ) I 

\rzisz 2 tz 3 J \a 3 ) \ dlog s (7r) / 

Denote the matrix with M. It has a determinant det(M) = ZiZiZ 3 {t — r — s) 
which is not equal to 0 due to the choice of the parameters. Therefore the matrix 
is invertible, and for any tt € G, and fixed hi, /12, there exists a unique x which 
yields the tuple (hi,h2, re). □ 


Lemma 2. Let u = (ui,U2,u 3 ) be any tuple such that ui = g\, U2 = <?!> and 
u 3 = g\, for r + s' 7^ t. And for randomly chosen (3o, /3i, . . . , (3$ <— Z q , let 
fi,i = 9i %1 g 3 *’ 3 ? fi , 2 = fl , 2 , ’ 2 fi , 3 S ’ 3 j f or * = 0, . . . , 5. For any m and fn in G 5 , let 


where mo = mo = 9- Then, for any m and fn, m ^ fn, it is true that the follow- 
ing two distributions are equivalent: ({/i,i/j,2}f = oi Vi <p) = ({/i,i/i,2}f=o> 90, *0) ? 
where ip <— G t is randomly chosen. 


Proof sketch of Lemma 0 Similarly to the proof of the previous lemma, let’s 
define all variables which depend on {/3j}f =0 as the result of a constant matrix 
M multiplied by the vector (/3j || f3j || . . . \(3f ) T . For convenience, denote with 
Wi = dlog 9 (mj) and Wi = dlog ff (mj), for i = 1, . . . , 5. Then, we have: 
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/ Zi 0 z 3 - - - ... - - -\ 



/ dlog 9 (/o,i) \ 

0 Z2 Z 3 - - - ... - - - 


( 1 ^ 


dlog 9 (/o,2) 

--- 21 0 23 ...- - - 


A) 


dlog 9 (/i,i) 

- - 0 22 23 ... - 


1 


dlog 9 (/ 2 ,2) 

---- - - ...21 0 23 


1 


dlog 9 (/ 6 ,i) 

— — — — — — ...0 22 23 


/3s 


dlog 9 (/ 5 . 2 ) 

rzi SZ2 tz 3 wirzi W1SZ2 witz 3 . . . w 3 rzi W5SZ2 w 3 tz 3 

\ 1 ) 


dlog(¥>) 

\rzi S22 tz 3 wfrzi W1SZ2 witz 3 . . . w 3 rz\ W5SZ2 w 3 tz 3 ) 



V dlog(£) / 


We would like to argue that the rows of the matrix M are linearly independent. 
As there exists i, i > 1, such that nii ^ m*, if we choose the sub-matrix M' 
consisting of the intersection of the last two rows and rows 1 , 2, 2i + 1 , 2i + 2 
with columns 1, 2, 3, 3 i +1, 3i + 2, 3 i + 3, we get: 

( zi 0 z 3 0 0 0 N 

0 Z2 Z 3 0 0 0 

, _ 0 0 0 jzi 0 z 3 

0 0 0 0 22 z 3 

rz\ SZ 2 tz 3 WiTZx WiSZ 2 Witz 3 
\ rzi sz 2 tz 3 Wjf zi w,jiZ 2 Witz 3 

If the rows of M are not linearly independent, so are the rows of M' . However, 
M' has a determinant det(M') = iz^z^z^Wi — Wi){t — r — s)(t — r— 's) which 
is not equal to 0 due to choice of the parameters. Therefore, the rows of M are 
linearly independent. □ 


3 Secure Joint Ciphertext Computation 

The CCA secure structure preserving encryptions scheme is well suited to build 
a variety of protocols. More specifically, it facilitates the construction of proto- 
cols that make use of practical ZK protocols to prove properties about partial 
ciphertexts. We consider a two-party protocol for the joint computation of a 
ciphertext under a third-party public key pk. The encrypted value is a function 
of two secrets, each of which remains secret from the other protocol participant. 
Moreover, only one participant gets to know the ciphertext. We study the case 
where only the first party learns the ciphertext whereas the second one has no 
output. 


3.1 Preliminaries 

Simulatability Model. We use strong simulation-based definitions that guar- 
antee security under composition in the flavor of 1 1 til-112.' -II . In particular we base 
our exposition on (221 . In (22! both ideal systems 1 and their realizations as 
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cryptographic protocols V are configurations of multi-tape interactive Turing 
machines (ITMs). An ITM is triggered by another ITM if the latter writes a 
message on an output tape that corresponds to an input tape of the former. 
As a convention we bundle communication tapes into interfaces inf where an 
interface consists of named input/output tape pairs. An input/output tape pair 
is named inf.R after a combination of the interface name inf and a role name R. 
We refer to the set of all roles of an interface as inf .72.. 

For simulation-based security definitions, the ideal system X and the protocol 
V that emulates this ideal system, have to present the same interface inf towards 
their environment, i.e., they must be environment compatible. We refer to an 
ideal system and a protocol that is environment compatible with respect to 
interface inf as 2 m f and V\„f, respectively. In addition X m f and V m f expose different 
network interfaces, the simulator interface infsim and the adversary interface 
infAdv, respectively. 

Strong simulatability. A proof that V\ n { emulates T- m f, short V,„f < SS 2\ n f will 
need to prove existence of a simulator Sim that translates between the interfaces 
infsim and infAdv such that for all p.p.t. Env: Env|"P m f « Env|Sim|2i n f. This is for- 
malized as strong simulatability which implies other simulatability notions such 
as universal composability with dummy adversaries and blackbox simulatability. 

Corruption. We consider only static corruption. A corrupted role in the ideal 
and in the real world is controlled through infsi m .R and infAdv-R respectively, and 
acts as a proxy that allows the simulator, respectively, the environment to send 
messages to any of its other connected tapes. We consider ideal systems Xi„f that 
are fully described by a virtual incorruptible party !F m f. As the functionality T\ n t 
implements the security critical parts of an ideal system, the ITM’s represent- 
ing the different roles of the interface only need to implement forwarding and 
corruption. We refer to the dummy party of role R as V r. When operating over 
an adversarially controlled network, even an ideal cryptographic system cannot 
prevent denial of service attacks. We therefor give the adversary the possibility 
to delay messages from the ideal functionality to dummies. 

Practical Zero-Knowledge Proof of Knowledge Protocols. For the types 
of relations required in our protocols, there exist practical ZK protocols. We refer 
to Camenisch et al. j!)l 1 .'ij for details. We will be proving statements of the form 
>1 wi , . . . , w n : 4>(wi , . . . , w n , bases ) where Wi are exponents and 0 is a predicate 
defining discrete logarithm representations. For a more detailed description, we 
refer to the full version of this paper. 

We use a zero-knowledge ideal functionality as defined by Listing Q] that is a 
simplification of the functionality of 0 for which we consider only static 

corruption. This allows us to reuse their ZK protocol compiler to obtain effi- 
cient multi-session instantiations V z k of X z ^(9{) in the hybrid secure channel and 
joint-state common reference string model. 
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Listing 1: Functionality jF zk (9f): 

i 1 

T zk receives input from Dp v over JF zk . Pv and provides output to "Dyf through the 
delayed communication tape ,F zk .Vf . Variable state is initialized to “ready”. 

On (Prove, inst , wit ) from T z k .Pv where state = “ready” and ( inst , wit) £ 

— let state = “final”; send (Prove, inst ) to .F zk .Vf 


Two-party computation. In conformance with the simulat ability model dis- 
cussed above, Listing |2| defines the ideal functionality for the joint computation 
of any function / on verifiable inputs inp x and inp 2 . When performing such 
a two-party computation, party Pi+i is guaranteed that Pa-i knows a witness 
wit 2 -% for its input inp 2 _ t such that (inst, (wit 2 -%, *np 2 — ;)) £ VH 2 -»• We restrict 
ourselves to tractable relations SH,; for which we can give efficient universally 
composable proofs of knowledge as described in the full paper. 

Listing 2: Functionality •7 7 t P c(/ ) 9ti, ^ 2 ) 

1 1 

Ftpc communicates with 'Dp 1 and Dp 2 through delayed communication tapes 
^tpc-Pi an d ^tpc-P 2 * Variables inst, pub, inp 1 store the input of the first party; 
variable state is initialized to “ready”. 

On (Input l5 inst', pub', wit' 1: inp[) from .Ftpc-Pi where state = “ready” and (inst', 
(wit[, inp'ff) £ 

— let inp x = inp\, inst = inst', pub = pub , and state = “inputl”; send 
(Input!, inst, pub) to Tx pc-Pa 

On (Input 2 , wit 2 , inp 2 ) from ^tpc-P 2 where state = “inputl” and (inst,(wit 2 , 
inp 2 )) £ y\ 2 

< — let state = “final”; send (Result, f(pub, inp^, inp 2 )) to J^tpc-Pi t 

We model an ideal secure two-party computation system X tp c(/, ^ 2 ) with 
interface tpc as the combination of two dummy Parties Dp 1 and "Dp 2 and an 
ideal two party computation functionality IFtpc- 


3.2 Construction 

Model. The model of our joint ciphertext computation, is fully described by a 
secure two party computation as in Listing |21 where imp./ = (h,Xi), pub = pk, 
and / is / JC (pk, (l u xi), (k,X 2 ))^Enc(pk,g * l ^,(g^+^,...,g-n . . 

Implementation. We present the protocol for the special case where the jointly 
computed ciphertext encrypts a single message (i.e., n = 1). This extends triv- 
ially in the multi-message case. 

The idea of the protocol is as follows. The first party computes a partial and 
blinded encryption of her secret, she proves that the computation is carried out 
correctly, and sends the partial encryption to the other party. The second party 
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takes the values from the first flow of the protocol and, using its secret and 
some randomness, computes a blinded full encryption of the agreed function of 
the two plaintext contributions. Then, the second party sends these values and 
proves that they are computed correctly. Finally, the first party unblinds the 
ciphertext and updates the consistency element to obtain a valid encryption of 
the function of the two secrets under jointly chosen randomness. The function can 
be a constant to the power of any polynomial of the two secrets; for simplicity, 
we consider the function g Xl + x 2 where g is a fixed group element and x\ , X2 are 
the two secrets. 

Listing 3: Protocol V iCC {d\\, ^ 2 ) 

Party Pi and P2 receive input from jcc.Pi and jcc.P2 respectively and communi- 
cate over Zzk-L and T z k 2 . 

On (Inputi, inst, pk, wit\, (h, xi)) from jcc.Pi 

— if (inst, (wit £ 9V> Pi aborts 

— Pi computes ( msg 1 , aux 1) <— BlindEnci(pk, l\,x\) and proves ((ms<7i, pk, inst), 
(witi, h,xi, auxi)) efHp^fHi) to P2 using T z ki( 9 fpi(fHi)) 

— P2 learns (msg x , pk, inst) from! z kj and outputs (Inputi, inst, pk) to jcc.P2 

On (Input 2 , wit2, ( (2,2:2 )) from jcc.P2 

— if (inst,(wit2,k,x 2)) ^ fH 2 , P2 aborts 

— P2 runs (msg 2 , aux2) <— BlindEnc 2 (pk, fe, 2:2, msgf) 

— P 2 proves ((msg 2 , pk, inst), (wit2, h, X2, aux2)) € fHp 2 (fH 2 ) to Pi using X z k 2 
(Dtp 3 (£H 2 )) 

— Pi learns ( msg 2 , pk, inst) fromI z y. 2 , computes c <— UnblindEnc(pk, msg 2 , aux 1), 
and outputs (Result, c) to jcc.Pi 


Where abstractly, relations Jtp^fHi) and 9lp 2 (Ut 2 ) are defined as 


fHpj (SHi) = {(ms^i, pk, inst), (wit 1, h,xi, auxi)) \ 

%r : (msg 1 , auxi) = BlindEnci(pk, li,xi;r) A (inst, (wit\, h,xi)) € SHi} 
fKp 2 (SH2) = {((msg 2 ,pk,inst),(wit2,l2,X2,aux2)) \ 

3 r : (msg 2 , aux2) = BlindEnc 2 (pk, l 2 , X2,msg r) A (toit 2 , h,X2)) € fH 2 } • 

In the full paper, we show how to efficiently prove the relations fHp^fHi)) and 
fHp 2 (SH2)) by giving a >1 language statement. 

We now give the details for the BlindEnci, BlindEnc 2 , and UnblindEnc 
algorithms. 
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Listing 4: Algorithms of V iC c 


(msg 1 , auxi) <— BlindEnci(pk, 1 %, xi) 

— parse pk as {91,92,93, hi, h 2 , {fi,i, jfolfLo)- 

— pick {7i}f =1 , n, and si at random and compute 

= 9 71 ' Qi 1 > u 2 = 9 12 ‘ 9^t > = 9 73 ‘ fl , 3 1+Sl , 

U4 = 3 74 • g xi ■ h^h^ 1 , u ' 5 = g 75 • < 7 Jl , 

• rii=ie(/i,i-ff 7< )» V2 = e{g2,g 62 ) ■ 11*=! 

— output msg 1 = (u^, S2, S3, S4, S5, S(, 
and auxi = ({7i}|Li,{^i}i=i, r i,si). 

( msg 2 , aux2) <— BlindEnc2(pk, l 2 ,X2,msg 1 ) 

— parse pk as (31,32,33, hi, /12, {/i,i, /i j2 }f = o) andmsg 1 as (S'i, S2, S3, S4, 

h's, <4). 

— pick r2 and S2 at random and compute 

ui = i| • , v,2 = u 2 ■ g 2 2 , S 3 = i| • 93 2+S2 , 

u 4 = u 4 • g x 2 • h^ 2 /^ 2 , S 5 = «5 • , 

f *= (n i =0®(/i,l I S i5M) r2 • (rit=o ®(/i, 2 > ®*)/® 2 :) S2 , 

where So = 3. 

— output msg 2 = (Si, S2, S3, S4, S5, S) and an:r2 = (r2,S2). 
c <— UnblindEnc(pk, ras3 2 , anaii) 

— parse pk as (31,32,33, hi, h 2 , {/»,i, /i, 2)4=0), ms #2 as (%, S 2 , S3, S 4 , S 5 , 
S) and anaii = ({ 7 »}|=i, {^}?=i, i~i, si). 

— compute 

ui = ui/g^=g\, u 2 = S2/3 72 = 3|, «3 = S3/3 73 = 5.3 +s , 

n 4 = S4/3 74 = 3 Xl+ * 2 • h£h|, n 5 = S5/3 75 = 3 t+fe , 

?; = S - e(ni3f ri ,3 51 ) • e(u 2 g 2 Sl ,g S2 ) • EUo e(/0/*2> u ;)> 

where uo = g. 

— output c = (ui,u 2 ,n3,n4,r) encrypted with label U5. 


Correctness. Recall the structure of the ciphertext of the public-key 
encryption scheme described in Section |2 for a public key pk = 
(s , i,5 , 2,33,hi,h2,{/i 1 i,/i,2}j = o), label ns, and randomly chosen r, s «— Z g , the 
ciphertext is computed as 


(ui, 142, U3, 144, v) = ( gl, 32, 33 +s > m • hlh§, ]J[ Kfi.lfifr Ui ) ) , where u 0 = g. 
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Note that the protocol in Listing 0 computes a valid ciphertext because u\ = g\ 
for r = n + r%, = gf f° r 8 = s i + s 2> u 3 = <? 3 +s , U 4 = m-h^h^ for m = g Xl + X2 J 

and v = rii=o ®(fiiff,2> u i ) ■ To see v is indeed computed this way, note that: 


and 


e(gi,g Sl Y 2 ■ e(g 2 ,g S2 ) S2 


- e (^p - ’ 5 ' 51 ) ‘ ® (jp" ,£?52 ) = v '^Yg Sl )-e(gT>g S2 ) = \\_Kf r CJt^ u i) 


Theorem 2. The joint ciphertext computation protocol ( Listing 0) strongly em- 
ulates the ideal two-party computation protocol (Listing OJ) for function fjc : 
'Pjcc(^i ) %) < ss 2t pc (/jc, SHi , D^)- We refer to the full paper for details. 


4 Oblivious Third Parties 

Modeling oblivious third parties. Transactions in the real world can be in- 
tricately related. They may depend on many conditions, of which the verification 
can be deferred to a number of (as oblivious as possible) third parties. For the 
sake of concreteness, we now formally model a system that involves two oblivious 
third parties: a satisfaction authority and a revocation authority. In our example 
scenario, after a service enrollment between a user U and a service provider SP, 
the user ought to make a payment for the service before tdue ■ Upon request, the 
satisfaction authority SA checks that the user indeed made the payment and 
provides the user with a blinded transaction token. The user unblinds the token 
and publishes it to prove the satisfaction of the payment. Finally, the revocation 
authority RA reveals the user’s identity to the service provider if no payment 
has been made before the payment deadline (i.e. no token corresponding to the 
enrollment was published). 

We model the security and privacy requirements of such a system with the help 
of an ideal functionality JT otp . As usual, corruption is modeled via dummies Dy, 
Dsp , Us a, Ora that allow to access the functionality both over the environment 
interface (before corruption) and the network interface (after corruption). 

The ideal system X otp is depicted in Figure EH and consists of the ideal 
functionality connected to the dummy parties over delayed communication tapes. 
Listing Elspecifies the reactive behavior of Xotp- A user that can prove his identity 
with the help of a witness such that ( inst , (id, wit)) G 9T is allowed to enroll. In 
particular, this interface supports the case where wit and inst are the secrets and 
the public key of a CL-signature tra on the user’s identity, i.e., an anonymous 
credential P3E1, or the opening and a commitment to the user’s identity, i.e., a 
pseudonym m For all these cases, the relation 91 is tractable. 

Enrollment consists of three rounds. The first round commits the user to her 
identity. The second round provides the user with a random satisfaction label 
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Fig. 1 . The ideal OTP system T 0 tp and its realization as a protocol V 0 i p : The realization 
makes use of ideal resources T Xi , T z k R , Aeg, Tjcc 4 for secure communication, proofs of 
knowledge, key registration, and joint ciphertext computation respectively. 

with respect to which she can satisfy the condition, e.g., make the necessary 
payment. In this round the user is also made aware of the due date tdue for the 
payment. Note that the user has to check that tdue fulfills reasonable uniformity 
constraints to protect her privacy. The last round gives the service provider the 
possibility to ask the identity revocation authority for the user’s identity. As a 
common limitation with other escrow mechanisms for anonymous credentials, 
we cannot extract the identity itself, but only the image of a bijection of it. We 
model this by giving the simulator the possibility to choose the bijection. As the 
identity space of realistic systems is small enough to allow for exhaustive search, 
this is not a serious limitation. 

The client interface towards the ideal oblivious parties, i.e., the interface of the 
user and the service provider respectively, consists of two messages ReqAction 



Structure Preserving CCA Secure Encryption and Applications 103 


and TestAction, with Action £ {Satisfy, Open}. The obliviousness require- 
ment guarantees that oblivious parties do not learn anything about the trans- 
actions of their clients. Indeed the decision of an oblivious party cannot be 
influenced in a transaction specific way, even if the other transaction participant 
colludes with the oblivious party. This is modeled with the help of test requests 
that are not related to any transaction. As these requests are indistinguishable 
from real requests, they allow the user to check whether the oblivious party 
indeed operates as required^ 

Consequently, the decision of an oblivious party can only depend on explicit 
and relevant information. For satisfaction, this is the user known satisfaction 
label L with respect to which she makes her payment. For the opening, it is the 
transaction token T that is secret until after satisfaction, when it is learned by 
the user. We abstract from the way through which users make T available to 
the revocation authority, but envision some kind of anonymous publicly available 
bulletin board. It is in the responsibility of the user to make the token, learned 
during satisfaction, available to RA, and in the responsibility of RA to check its 
existence. All the protocol guarantees is that RA learns the same T value during 
opening as the user learned during satisfaction. 

Listing 5: Functionality F 0 t p 

Upon initialization, let state = “ready”, L=T = id = T = id = F=T=L, = e. 
On (SetF, F , ,T , ,1L/) from otpsi m F where state = “ready”: 

— abort if F' is not an efficient bijection or V or U are not of sufficient size; 
set F = F' , T = T, and L = U . 

On (EnrollU, inst, (id', wit')) from where state = “ready”: 

— if (inst, (id' , wit')) £ fH) abort; 

— set state = “enrollu”; set id = id' ; send (EnrollU, inst) to .Fy-SP. 

On (DeliverEnrollU, tdueO from Fy.SP where state = “enrollu”: 

— set tdue = tdue'; set T, L to random values from T and L respectively; 

— set state = “deliverenrollu” ; send (DeliverEnrollU, T, td ue ) to F. ot P -U. 

On (DeliverEnrollSP) from .Fotp-U where state = “deliverenrollu” : 

— set state = “enrolled”; send (DeliverEnrollSP} to F ot p.SP. 

On (ReqSatisfy) from jF ot p.U where f / e and T = e: 

— set T = T; send (ReqSatisfy, L) to .Fotp-SA. 

On (TestSatisfy, L' , T') from .Fotp-U where T = e: 

— set T = T' ; send (ReqSatisfy, 17) to ,F 0 tp.SA. 

On (Satisfy, satisfied) from ,F 0 tp.SA where T ^ e: 

1 An extension that allows not only the requester, but arbitrary external parties, e.g. 
an auditor, to make test requests is a useful and cryptographically straightforward 
extension to this interface. 
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— if satisfied, set m = (Satisfy, T), otherwise set m = (Satisfy, _L); set 
T = e; send m to .Fotp-U. 

On (ReqOpen) from ^tp-SP where state = “enrolled” and id = e: 

— set id = id; send (ReqOpen, T,td U e ) to .Fotp.RA. 

On (TestOpen, V ,id' ,td U e) from .Fotp-SP where id = e: 

— set id = id'; send (ReqOpen, T',td U e) to .Fotp.RA. 

On (Open, open) from JF otp .RA where id, ^ e: 

— if open, set m = (Open, F(id)), otherwise set to = (Open, _L); set id = e; 

l send to to .Fotp.SP. j 


Implementing oblivious third parties. To construct a protocol that securely 
emulates the above functionality we make essential use of (adaptive chosen- 
ciphertext attack secure) encryption. As depicted in Figure the protocol 
makes use of several cryptographic building blocks. But at the core of the pro- 
tocol are two joint-ciphertext computations that, as described in Sectional can 
be efficiently realized thanks to structure preserving encryption. 

The enrollment protocol has a few more communication rounds, because of the 
zero-knowledge proofs, but otherwise closely follows the three phases of the ideal 
system. In the first phase the user commits to and proves her identity. Both the 
user and the service provider commit to randomness that they will use to jointly 
compute the transaction token T. The user proves knowledge of the opening of 
her commitment as part of the joint computation of the satisfaction ciphertext 
ci = Enc(pfc SA ,L,T • (f ). In the second phase, the service provider transfers 
tdue , completes the joint ciphertext computation, and starts the computation 
of the revocation ciphertext C2 = Enc(pk RA ,g tdue ,(g ld+r ',T)). In both cases, 
he proves knowledge of the opening to his commitment to guarantee that the 
transaction token is embedded correctly into both ciphertexts. The user outputs 
the label of Ci as the random satisfaction label L. In the last phase the user again 
proves knowledge of openings for her commitments in the computation of C2 to 
guarantee that it contains the transaction token T and a blinded user identity 
g ld under label g tdue . 

To satisfy her financial obligations, the user makes a payment with respect to 
label L and then asks the satisfaction authority to decrypt ci . The user receives 
the blinded transaction token, that she unblinds using her locally stored ran- 
domness to learn T. She makes T available to the revocation authority, through 
some out-of-band anonymous bulletin board mechanism. Test satisfaction re- 
quests are just encryptions of blinded T' under label L' . To request the opening 
of a user identity, the service provider sends the ciphertext C2 to the revocation 
authority, which checks the label tdue , decrypts the ciphertext to learn T and 
verifies whether T was posted by the user. If not, the revocation authority re- 
turns the blinded identity g ld+r to the service provider, which can unblind the 
identity. Test opening requests are just encryptions of T' and blinded g ld under 
label tdue'- 
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The Real System P otp . We omit the details of the protocol and refer to the 
full version for the description of V 0 t p and the proof that it securely emulates 

■W 

5 Conclusion 

We propose the first public key encryption scheme that is structure preserving 
and secure against adaptive chosen ciphertext attacks. We demonstrate the use- 
fulness of this new primitive by the joint ciphertext computation protocol and 
our proposal for instantiating oblivious third parties. We conjecture, however, 
that the combination of the structure preserving encryption scheme and efficient 
zero-knowledge proofs facilitate a much larger set of efficient protocol construc- 
tions. All protocols are proven secure in the universal composability model. 
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Abstract. Decoding random linear codes is a fundamental problem in 
complexity theory and lies at the heart of almost all code-based cryptog- 
raphy. The best attacks on the most prominent code-based cryptosystems 
such as McEliece directly use decoding algorithms for linear codes. The 
asymptotically best decoding algorithm for random linear codes of length 
n was for a long time Stern’s variant of information-set decoding running 
in time O (2 0 05563 " ) . Recently, Bernstein, Lange and Peters proposed a 
new technique called Ball- collision decoding which offers a speed-up over 
Stern’s algorithm by improving the running time to O (2 0 05558n ). 

In this paper, we present a new algorithm for decoding linear codes 
that is inspired by a representation technique due to Howgrave- Graham 
and Joux in the context of subset sum algorithms. Our decoding algo- 
rithm offers a rigorous complexity analysis for random linear codes and 
brings the time complexity down to 6 (2°' 0S363n ) . 


Keywords: Information set decoding, representation technique. 


1 Introduction 

Linear codes have various applications in information theory and in cryptog- 
raphy. Many problems for random linear codes such as the so-called syndrome 
decoding are known to be NP-hard j2j and thus coding-based cryptography hopes 
to transfer this hardness to an average case hardness for cryptographic construc- 
tions. Since it is unlikely that hard coding problems are efficiently solvable on 
quantum computers, coding-based constructions are also one of the most promi- 
nent candidates for quantum-resistant cryptography. 

Even many of today’s lattice-based constructions like Regev’s cryptosystem 
M or the HB protocol [ZJ inherently rely on the hardness of syndrome decod- 
ing via a variant called Learning Parity with Noise (LPN) problem. Given the 
importance of the syndrome decoding problem, it is a major task to understand 
its complexity in order to properly define cryptographic parameters that offer a 
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sufficient security level. Let us introduce some notion that helps to investigate 
the syndrome decoding problem for linear codes. 

A binary linear [n, k, d]-code C of length n is a linear subspace of the vector 
space Fg . The dimension k of C is the dimension of the subspace. The distance 
d of C is defined as the minimal Hamming distance between two codewords. 

An [n, k, dj-code C can be defined via some basis matrix G G Ff;*" for the sub- 
space, called a generator matrix, i.e. C = {xG : x G F*}. Alternatively, we can 
define C via a parity check matrix H G F 2 " k ' >xn whose kernel equals C, i.e. we 
have C = {x £ FJ : Hx* = 0}. Moreover, let C have distance d and let c G C be a 
codeword. Assume that we transmit x = c+ e for some error vector with Hamming 
weight w := wt(e) < T^lJ Then c is the unique closest codeword in C to x. 

The term s(x) := Hx' — H(c* + e*) = He* is called the syndrome of x. 
Notice that e defines the unique linear combination of exactly w columns of H 
that sum to He* over Fj . Finding this linear combination allows to recover the 
closest codeword c = x + e. Hence, the so-called syndrome decoding of linear 
codes amounts to finding a subset / of lu out of n vectors from F^ - * 1 such that 
the vectors in I sum to a fixed target value s(x). 

A naive linear decoding algorithm is thus to search over all (^) linear com- 
binations of columns in H. Obviously w < f, therefore the search space (.") is 
maximal for w as large as possible. Thus, in coding based cryptosystems like 
McEliece m one usually fixes the weight of the error vector e to w := T_I | . 
Throughout the paper, we assume for simplicity that we know w. We would like 
to stress that our decoding algorithm also works with the same asymptotical run- 
ning time for unknown w, if we incorporate a loop over all possible values of w 
within the interval (0, s i nce our asymptotical running time is dominated 

by the largest value of w. 

The running time of a decoding algorithm is a function of the three code 
parameters [n, k, d] . A random [n, k. d]-c;ode is defined via a random parity check 
matrix H G^ Fg" k>y ' r \ Jt is well-known that for sufficiently large n random 
linear codes reach the so-called Gilbert- Varshamov bound (see jOj, Chapter 2 
for an introduction). More precisely, the code rate ^ of a random linear code 
asymptotically reaches 1 — where H is the binary entropy function. Solving 

for d allows us to express the asymptotical running time for random linear codes 
as a function of [n, k] only. We obtain a worst case running time as a function 
of n if we take the maximum over all values of 0 < k < n. For all decoding 
algorithms in this work the worst case appears for codes of rate £ « 0.47. 


Related Work. Let s(x) = Hx* be the syndrome of some erroneous codeword 
x = c + e with c G C and weight- to error e. We briefly show how to extract 
e from s(x) by an algorithm called information set decoding, that was already 
mentioned in the initial security analysis of McEliece mu and further explored 
by Lee and Brickell 0 . 

The idea of information set decoding is to reduce the search space by lin- 
ear algebra. The first step is to randomly permute the columns of H, which 
basically permutes the coordinates of the error vector e. Then, one transforms 
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the permuted H € Jf(" _fc ) x ” into systematic form (Q|I„_ fc ) with Q G 
and I n -k the (n — fc)-dimensional identity matrix. Next, one fixes a weight p 
and computes for all linear combinations of p columns in Q the sum with the 
given syndrome s(x). If this sum has Hamming weight exactly w — p, then we 
can simply choose another w — p columns from the identity matrix I in order 
to obtain a weight-w linear combination of columns that sum to s(x). 

Obviously, information set decoding succeeds if we permute e such that ex- 
actly p out of its w 1-entries are in the first k coordinates, and the remaining 
( w — p) 1-entries fall into the last n — k coordinates. Optimization of p yields a 
running time of O (2°- 05751n ). 

In 1988, Leon P2j and Stern [131 further improved information set decoding 
by enforcing a window of 0-entries of size l in the last n—k entries of e. Assume 
that this length-^ window is e.g. in positions k + 1 , . . . , k + i of e. Then the 
weight-p linear combination of Q has to exactly match the syndrome s(x) in the 
l positions 1, ... ,1, since we are no longer allowed to use the first i columns from 
I n-k- Stern m proposed to compute those weight-p linear combinations of Q 
by a birthday technique via the sum of two disjoint weight- § sums of columns 
in Q. This algorithm lowers the time complexity to O (2 0 ' 05563 '"') by increasing 
the memory complexity to O (2°' 013rl ) . 

In this work, we study a variant of Stern’s information set decoding algorithm 
which is an instantiation of an algorithm by Finiasz and Sendrier from 2009 |3j- 
We call this instantiation FS-ISD. In FS-ISD, the 0- window is removed by simply 
removing the corresponding l columns, i.e., by adjusting the systematic form to 
(Q | In ° k _ e ) with Q € F^“ fc)x(fc_H0 . 

A different approach for removing the length-^ 0- window restriction in Stern’s 
algorithm was recently proposed by Bernstein, Lange and Peters |3j, called Ball- 
collision decoding by the authors. In Ball-collision decoding, one allows to have 
a small non-zero weight q in the length-^ window. Both algorithms, FS-ISD 
and Ball-collision decoding, share the same time complexity O (2°' 05558n ) and 
memory complexity O (2 0 014n ). 

As a sideline of our work we show that any parameter choice (p,q,l) for 
Ball-collision decoding can be transformed into parameters (p' for the FS- 
ISD algorithm with the same asymptotic time complexity. That is, FS-ISD is 
asymptotically at least as efficient as Ball-collision decoding. We conjecture that 
both algorithms actually behave asymptotically equivalent. Since FS-ISD offers a 
simpler description than Ball-collision, we focus on improving the FS-ISD variant 
in this work. 

Our Contribution. We provide a new information set decoding algorithm 
based on FS-ISD. The major subproblem in FS-ISD is to find exactly p columns 
of an Trow submatrix Q' of the (n — k) x (k + 1) matrix Q that stun to the 
corresponding £ coordinates of the syndrome s(x). 

More precisely, let Q' = [qj . . . qj. + J and s'(x) be the projections of Q 
and s(x) on the desired i coordinates. Then we have to find an index set 
I C {1, . . . ,k + £} with |ij = p and JT £j q' = s, ( x )- We call this problem 
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the submatrix matching problem. Our improvement of information set decoding 
comes from a more efficient algorithm for the submatrix matching problem than 
the birthday algorithm of Stern. Our algorithm for the submatrix matching prob- 
lem might be of independent interest as this problem is again a parametrized 
version of syndrome decoding. 

In FS-ISD, the submatrix matching problem is solved by splitting the interval 
[1, k + £] into the two disjoint intervals [1, and + 1, k + £\. Then one 
searches in a birthday-type manner for two index sets I\ C [1, —f~] and I 2 C 
[^2^ + 1, k + i] of cardinality § each, such that d* = Hieh + s'(x). 

Our approach is inspired by a clever representation technique used in a recent 
subset sum algorithm of Howgrave-Graham and Joux from Eurocrypt 2010 |S|- 
We choose I\ and h in the submatrix matching problem both from the whole 
interval [1, k +t\ instead of taking two disjoint intervals of size Let I be a 
solution with JT e/ q' = s'(x) and |/| = p. 

Then the major observation is that I has ( p P / 2 ) different representations of 
the form 7 = 7i U / 2 with |/i| = |/ 2 | = f . Thus, we also have ( p ^ 2 ) identities of 
the form 

= q * + s 'w> w 

ieh ieh 

instead of just one imique representation as in FS-ISD. 

Interestingly, Finiasz and Sendrier also allow for non-disjoint splittings in [5j . 
However, their framework does not make use of different representations. It 
is precisely the representation technique that allow us to bypass their lower 
bound argument and to asymptotically beat the lower bound for information set 
decoding given in |5J. Our algorithms achieves an asymptotic running time of 
6 (2 0 05363 ") using memory 6 (2 0021n ). 

The correctness of our algorithm is rigorously proven under the assumption 
that H is a uniformly random {0, l}-matrix. This assumption is plausible in the 
cryptographic setting, since it is actually the goal of crypto designers to hide 
the structure of the underlying code, e.g. the Goppa code in McEliece, by linear 
transformations. 

Table 1. Comparison of exponents in the asymptotic worst-case complexities 



time 

space 

Lee-Brickell 

0.05751n 


Stern 

0.05563n 

0.013n 

FS-ISD / Ball-collision 

0.05558n 

0.014n 

Lower bound from |5| 

0.05556n 

0.014n 

Our algorithm with FS-ISD space 

0.05402n 

0.014n 

Our algorithm 

0.05363n 

0.021n 


Table Q summarizes the worst-case complexity of decoding algorithms. No- 
tice that Stern’s algorithm, FS-ISD and Ball-collision are typical time-memory 
tradeoffs that decrease the running time complexity at the cost of an increased 
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memory complexity. In contrast, our algorithm does not only benefit from a 
mere time-memory tradeoff. For example, if we restrict our memory complexity 
to 6 (2 0 014 ") as in FS-ISD we still obtain an improved running time. 

Roadmap. Our paper is organized as follows. We first introduce some useful 
notation in Section |5| In Section 01 we briefly recall the state of the art in 
information set decoding, including Stern’s algorithm, FS-ISD and Ball-Collision 
decoding. In Section 01 we provide an algorithm for the submatrix matching 
problem. This leads to our new information set decoding algorithm in Section 01 
for which we provide some experimental results in Section 01 

2 Notation 

By [fc] we define the set of natural numbers between 1 and k, i.e. [k] = {1, . . . , k}. 
The cardinality of a finite set I is denoted by |/|. For a better readability we 
represent matrices Q and vectors e by bold letters. For index sets I C [n], 
J C [fc] and an n X k matrix Q = {qi,j)ie[ n ],je[k\ € F 2 x » we denote by Q j 
( Qi,j)iei,jeJ the submatrix containing the \I\ rows and \ J\ columns defined by I 
and J, respectively. When we consider submatrices of Q where either columns or 
rows are chosen, we simply write Qj or Q 7 meaning Qj = Qj^ and Q 7 = Qffc] - 
We extend this notion to vectors sgFJ and write Sl G for the projection of 
s onto the coordinates defined by L. Further, for a matrix Q = (®,i)i6[n],fce[fc] G 
F 2 xfc and index sets L C [n] with \L\ = £, we define a mapping 717, : F 2 xfe — s ► F 2 
where 


«i(Q) := Ei=i Qf i} e F 2 


is the projection of the sum of Q ' s columns onto the £ rows defined by L. 
As before, we sometimes omit the index set L which means that we consider 
the sum of Q’s columns without projecting it to a certain number of rows, i.e. 
*(Q) =ir[«](Q) eFJ. 

By wt(x) we denote the Hamming weight of a vector x G F 2 , i.e., wt(x) 
counts the number of non-zero entries of x. By supp(x) := {i £ [n] : Xi = 1} we 
denote the support of a vector x, i.e., the set of indices corresponding to non-zero 
coordinates of x G FJ. We represent the n-dimensional identity matrix by l n and 
the i-th unit vector by u, . Observe that X^esupp(x) u, = x for every xgFJ. For 
a set of natural number I c N, we introduce the shifted set k+I := {k+i : i £ 1} 
for arbitrary k £ N. 

Throughout the asymptotic complexity analysis of our exponential algorithms 
we make use of the soft J^andau notation O which suppresses arbitrary polynomial 
factors, i.e., p(n)2 n = 0(2”) for every polynomial p(n). We often need to estimate 
binomial coefficients of the form asymptotically. Stirling’s formula yields 



where H(x) = —xlog 2 {x) — (1 — x) log 2 (l — x) is the binary entropy function. 
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3 Information Set Decoding Algorithms 

3.1 Information Set Decoding 

Let C be an [n, k. d]-code with parity check matrix H. Furthermore, let x = c+e, 
c G C be an erroneous codeword with error e, wt(e) = \_^~\ ■ In order to find 
e, information set decoding proceeds as follows. 

Initially, we apply a random permutation to the columns of H, resulting in a 
permuted matrix H. Then we apply Gaussian Elimination on the right-hand square 
submatrix Hj, I = {k + 1, , n}. If H/ is invertible, Gaussian Elimination will 
succeed and we obtain a systematic forirQ (Q|I n -k) of H, see Figure^ 

After the first step all the work can be done within the k columns of submatrix 
Q. In the Lee-Brickell algorithm jOj one checks for every I C [k] with cardinality 
|/| = p whether wt(7r(Qj) + s(x)) = oj — p. If so, we can easily choose oj — p 
columns in the I n -k part of H indexed by J = k + supp(7r(Q/) + s(x)) C 
[k + i + 1 , n] which eliminate the remaining 1-entries. This in turn implies that 
Eiei Q{i> + E jej = s ( x )- 

Therefore, I and J determine the support of the permuted error vector e = 
eUp, i.e., we can set supp(e) := I U J which finally reveals the error e. 


k n-k 



5 I 


Fig. 1. Collision Decoding by Stern - He 4 = s(x) f . The error vector e contains two 
blocks each of § l’s in its upper half corresponding to the columns of Q;, and Q/ 2 . Since 
Q/, and Q/ 2 sum up to s(x) on the rows defined by [l] we have to fix a corresponding 
zero-block in coordinates {fc + 1, . . . , k + t} of e. The remaining (c v — p) l’s are then 
distributed over the remaining coordinates {k + £ + 1, . . . , n} of e. 


3.2 Stern’s Algorithm 

In the late 80s, Leon and Stern H3 introduced the idea of forcing the first 
£ coordinates of tt(Q/) already to the coordinates of s(x). Let s^j(x) be the 
projection of s(x) onto the coordinates in [£}. 

We enumerate for all 1% C [1, |] , J 2 C [| + 1, k] the projected vectors (Q/, ) 
and 7 t^](Q/ 2 ) + S[^](x) in two lists. Then we search for collisions in these lists, 

1 In more detail, we transform H by multiplying it by two invertible matrices Up £ 
F 2 xn , Ug 6 F 2 corresponding to the initial column permutation and the 
Gaussian Elimination, respectively. Then (Q|I) = Ug(HUp). Notice, that the trans- 
formation Ug also needs to be applied to the syndrome s(x), which we omit for sim- 
plicity of exposition. 
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meaning that we look for two weight- § sums of columns that are equal to the 
syndrome s(x) within the coordinates of [£] . 

If wt(7r(Q/ 1 ) + 7 t(Q/ 2 ) + s(x)) = us — p holds for one of these collisions, we 
again set the corresponding oj — p coordinates in the second half of the permuted 
error vector e to 1, see Fig. Q for an illustration. 

To analyze Stern’s algorithm we have to consider both the complexity of 
each iteration and the probability of success. The complexity of each iteration 
is dominated by the collision finding step in two lists. This can be done by a 
simple sort-and-match technique. Neglecting log factors, we obtain complexity 

(WP, l) := max j j . (3) 

In order to analyze the success probability, we need to compute the probability 
that a random permutation of the error e S FJ of weight wt (e) = us has a good 
weight distribution, i.e., e needs to have weight p/2 both on its coordinates in 
[1, k/2] and [k/2 + 1, k] and zero- weight on all coordinates with indices in the 
set {ft + 1, . . . , k +£} as illustrated in Fig. QJ Thus, we obtain success probability 



The overall running time of Stern’s algorithm is hence given by Cstern • 
Optimizing this expression for p and i under the natural constraints 0 < p < u 
and 0 < £ < n — k — us + p we obtain time complexity O (2°- 05563n ) and space 
complexity O (2°' 013n ) . The optimal parameter choice is given by p = 0.003n 
and t = 0.013n. 

3.3 The Finiasz-Sendrier ISD Algorithm 

The idea of the FS-ISD algorithm is to increase the success probability for having 
a permuted error vector e of the desired form by allowing e to spread it’s l’s over 
all coordinates, instead of fixing a certain f-width 0-window. This is realized by 
changing the systematic form during the Gaussian Elimination process. 

As before, we first randomly permute the columns of H, which results in a 
permuted matrix H - HU p. Then we carry out a partial Gaussian Elimination 
on the right-hand lower square submatrix Hj £ ^(n-k-e)x(n-k-e.) j nc [ ex 
sets / = {l + 1, . . . , n — k} and J = {k + £+ l, ... ,n}. 

Next, we force an £ x (n — k — G) zero block in the remaining i rows of the 
submatrix Hj by adding rows of the identity matrix. Mathematically, we repre- 
sent the partial Gaussian Elimination plus row elimination by a multiplication 
with an (n — k) x (n — k) invertible matrix U g- Therefore, the initial step in 
FS-ISD, which we denote Init(H), yields a modified systematic form 



= UcHUp. 


114 A. May, A. Meurer, and E. Thomae 


In Fig. El we illustrate the Birthday collision step of FS-ISD which is the same 
as in Stern’s algorithm but for a submatrix which now has k + £ columns 
instead of k columns. 


k+i n-k-l 

£ 

n-k-l 

Fig. 2. Birthday collision search in FS-ISD 

A straight-forward modification of the analysis of Stern’s algorithm from 
Section E3 yields a complexity of 



7fs-ISd(p,- 0 := max | Sfs-isd (p i i FS IS ^^’ ) j (5) 


per iteration, where Sfs-isd(p, = (^p/ 2^) denotes the size of the initial lists 
and thus represents also the space complexity. Furthermore, the success proba- 
bility of getting an error vector e of the desired form is now given by 


Pfs-isd(pJ) 



Thus, we obtain a total complexity of Cfs-isd(p,^) = Tfs-isdCp,^) • 
-Pfs-isd^,^) - 1 - Optimizing this expression yields a worst-case running time of 
O (2°' 05558n ) within space complexity O (2 0,014n ) . The optimal parameter choice 
is given by p = 0.003n and l = 0.014n. 


3.4 Ball-collision Decoding 

In 2011, Bernstein, Lange and Peters 0 presented another information set de- 
coding algorithm, which they called Ball- collision decoding (BCD for shorthand). 
The general idea of BCD is very similar to the idea of the FS-ISD algorithm, 
namely the authors increase the success probability of one iteration in Stern’s 
algorithm by allowing an additional number of ones within the fixed width-7 
0- window. 

Therefore, BCD allows for q additional l’s within the 0- window, or in other 
words for a Hamming ball of radius q within the 0-window. More precisely, let I 
be an index set with \I\ = | chosen from the intervals [1, k/2] or [k/ 2+1, k\. Each 
entry (7, 7r^](Q/)) in the initial lists of Stern’s algorithm has to be expanded by 
all possible projected weight- <7/ 2 column sums 7r^](Ij) of the identity matrix 
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I - for index sets J of size \J\ = q / 2 contained either in [k + l,k + 1/2} or 
[k + £/2 + l,k + £]. 

Analogously to the analysis of Stern’s algorithm in Sect. 01 we obtain an 
asymptotic time complexity for one iteration of BCD of 

Tbgb(p,£, q) '= max |sbcd(p,^, q), BCD ^’ ’ ^ | • (7) 

The space consumption is Sbgt>(p,£, q) = (p/ 2 ) ( 5 / 2 )- Similarly one obtains a 
success probability of 



Eventually, the overall complexity of BCD is given by Cbcd(p, T q) = 
Tbcd (p,£, q) ■ Pbgd (p, £, ?) _1 - 

Intuitively, FS-ISD and BCD proceed in a similar fashion by allowing e to 
spread its l’s in a more flexible way at the cost of slightly increasing the workload 
and space complexity per iteration. Indeed, the following theorem shows that 
FS-ISD is asymptotically at least as efficient as BCD. 

Theorem 1. Let (p. q. £) be a parameter set for the BCD algorithm. Then (p + 
q,i) is a parameter set for FS-ISD satisfying 

Cfs-isd{p + q,£) < Cbcd{p,£, q) ■ 

Proof. See full version, available from the authors. 

Due to Theorem Q1 we take the FS-ISD algorithm as a starting point for our new 
construction, in which we improve on the birthday-collision step. 

4 How to Solve the Submatrix Problem 

Recall that in each iteration of the FS-ISD algorithm one has to find in a pro- 
jected £ x (k + 1) - submatrix a weight-/; stun of columns that sums to a target 
syndrome. We call this problem the submatrix matching problem. 

Definition 1. The submatrix matching problem with parameters I, k and p < 
k + £ is defined as follows. Given a random matrix Q = [qi . . . qjt+^] &r 
and a target vector sgFj, find an index set I of size at most p such that the 
corresponding columns of Q sum to s, i.e., find I C [k + £[, |7j < p with 

?r(Q/) = E ie /qi = sgf^ . 

The submatrix matching problem is a vectorial variant of the well-known subset 
sum problem. In the following, we propose an algorithm ColumnMatch for the 
problem, based on a recently introduced representation technique for the subset 
sum problem by Howgrave-Graham and Joux j^j. 

When we use ColumnMatch in information set decoding, the input param- 
eters p, £ are optimization parameters that guarantee that some solution I exists 
with a certain probability P(p,£), compare e.g. with Eq.®. 
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4.1 The ColumnMatch Algorithm 

Let us briefly explain our ColumnMatch algorithm. We recommend the reader 
to follow our algorithm’s description via the illustration given in Fig. 0 and the 
pseudocode description in Algorithm 1 . 

Let Q = [qi . . . (±k+i) Er l ' k+t> and seiche an instance of the submatrix 
matching problem. Assume that I is a solution to the problem of size exactly p. 
Similar to FS-ISD we construct I from two sets I \ , fy of size | each. 

As opposed to FS-ISD, we do not choose I\ and h from disjoint sets of size 
Rather we choose both I\ , I 2 from the full set [k + £\ . This choice of the index sets 
is similar to what we call the representation technique due to Howgrave-Graham 
and Joux gj. The effect of the choice is that we obtain ( p ^ 2 ) as 2 P different 
partitions I = fyUfy and therefore the same number of identities 

H + s in F 2 • ( 9 ) 

ieh ieh 

Our goal is to find one of these identities with constant success probability, 
where the probability is taken over the random choice of Q. Therefore we do 
not construct all possible stuns of elements in ify I 2 but only those that satisfy 
additional constraints. To establish the constraints, we introduce shortening pa- 
rameters l\,li with l\ + £2 = £ that correspond to disjoint subsets L\,L% C [ l ) 
of size £ 1 ,( 2 , respectively. 

Our construction now proceeds in two steps. In the first step, we construct 
partial solutions that already sum to the target value s on the £2 positions of 
L 2 . More precisely, we construct two lists 

A := |(fi,7TL I (Q/ 1 )) : h c [k + £], I hi = f and = 0 G F* 2 } and 

A := {(/2,7T Ll (Q /2 ) +s Ll ) : h C [k +4 \I 2 \ = f and 7T i2 (Q/ 2 ) = s i2 G F 2 2 | . 

Notice that out of the 2 P possible identities that satisfy Eq. Q, we consider 
only those identities where Ylieh T i s equal to 0 G F 2 on the bits of L 2 . Thus 
we expect that we already remove a 2~^ 2 -fr action of all solutions, which lets an 
expected number of 2 p ~ i2 solutions survive. 

Once we have constructed the lists A, A in the first step, we sort £2 according 
to the labels and search for all elements tt/,., (Q/, ) in A for a 

matching element in £ 2 - Notice that every matching (h,h) fulfills Eq. Q and 
hence is a solution to the submatrix matching problem. 

Since we constructed I \ , I 2 in a non-disjoint way, their intersection J = I\ flfy 
might be non-empty. In this case, all vectors in J appear on both sides of Eq. Q 
and thus cancel out when we compute Ylieh R* + Yliei 2 T over F 2 . This means 
that we have found a solution /' = I\ AI 2 = (I\ U I 2 ) \ Ch D I 2 ) to the submatrix 
matching problem with size \I'\ = p — 2\I\C\ h\- 

How to construct A and A- The initial lists A and £2 can be easily 
constructed by a classical sort-and-match step. Let us show how to construct 
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£ — — £ £— — £ 

rim ■ rim 



Fig. 3. Illustration of the ColumnMatch algorithm. The flat rectangles above, beside 
or below the lists represent the structure of the index sets Iij contained in distinct 
lists, e.g., the level-2 list £ 1,1 contains index sets 7i,i whose § ones are spread over the 
first half of [k + i !] (as illustrated by the gray region). 

£1, the construction of £2 is analogous. We partition I\ = I\a(M\.2 with / ];1 = 
\h,i\ = f where /qi C [ 1 , and 1%,% C + 1, k + i). More precisely, we 
compute two lists 

£ 1,1 := {(A.i.^Qa.*)) : h,i C [1,^1, [A,i| = f} and 
£ 1,2 := {(/i,2,7r i2 (Q /l)2 )) : h, 2 C [^ + l,k + 1\, \h, 2 \ = !} • 

We then sort £1,2 with respect to the second component and search for all second 
components in £^1 for matching elements in £1,2- 

Remark 1. Notice that the construction of £1 and £2 via disjoint splittings I\ = 
h-iiMi.2 and I 2 = hp^h,2 lowers the number of representations Rip)- Instead of 
considering every subset h C I of size § we take every I\ with an equal number 
of | indices coming from [1, ( k + t)/ 2] and [(fc + t)/2 + 1, k + i], respectively. 
Hence, we only have (^) instead of ( p y 2 ) many different representations per 
solution in Eq. Q|. Asymptotically, this can be neglected since both terms equal 

2p(1--o(i))_ 
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Algorithm 1. ColumnMatch 
I nput: Q€F 2 X(fc+0 ,s€F i,p<k+l 


Input: Q € Fj* 1 


Output: I with 7 t(Q/) = s or _L if no solution is found 
Parameters: Li, L 2 with [1] = L 1 UL 2 and L,| = Li for i = 1,2. 

01 Construct £1,1, £1,2, £2,1, £2, 2- 

02 Sort £1,2, £2,2 according to their labels 7rz, 2 (Q/ 12 ), 7TL 2 (Qr 2!2 ) + sr 2 . 

03 Join £1,1 and £1,2 to £1, i.e., for all (/i,i, 7T£, 2 (Qu^)) 6 £1,1 do 

04 for all (7l,2, 7Tl 2 (Q/ 12 )) €£ 1,2 with 7rL 2 (Q/j A ) =7Tl 2 (Q/ 12 ) do 

05 h = h,i U Ii,2. Insert (/1, itL x (Qu)) into £1. 

06 Join £2,1 and £2,2 to £2, i.e., for all (/2,i, 7 Tl 2 (Q/ 21 )) 6 £ 2,1 do 

07 for all (/ 2 , 2 , tvl 2 (Q/ 2 , 2 ) + sl 2 ) G £ 2,2 with 7 Tl 2 (Q/ 2 J = 7Tl 2 (Q/ 2j2 ) + sl 2 do 

08 I 2 = h,l U I 2} 2 - Insert ( h , 7 xl x (Q/ 2 ) + s l x ) into £2. 

09 Sort £2 according to the label 7 tl 1 (Q/ 2 ) + slj. 

10 Join £1 and £2 to £, i.e., for all (ii, (Qji.)) € £1 do 

11 for all (-Z2 , ttl! (Qj 2 ) + SLJ e £2 with ^(Q/J = 7 tl 1 (Q/ 2 ) + do 

12 Output I 1 AI 2 = (h U I 2 ) \ (Ji n / 2 ). 

13 Output _L. 


Time and space complexity. Throughout the analysis, we will again ignore 
low-order terms that are polynomial in the parameters p, L. The space complexity 
of constructing the four level-2 lists £ 1 , 1 , £ 1 , 2 , £ 2 , 1 , £ 2,2 is bounded by the length 
( p/ 4 ^ 2 ) these lists. The sort-and-match step of these lists can be done in time 



Joining lists £14 and £1.2 to list £1 produces a list of expected size 


E[| £ 1 1] ^ ■ 2~ e2 = 0( 2 (k+e)H{ ^+^ ) ~ e - 2 ). 


The final sort-and-match step of £1 and £2 on level 1 then takes expected time 




'(* + <) A 
^ p/4 J 


The following table summarizes the exponents in the complexities for both levels 
of our algorithm ColumnMatch. This means that e.g. on level 2, we have space 
complexity 0( 2 S2 ^ k ’ p,e >). All binomial coefficients are estimated via Eq.Q. 

The total time and space complexity for ColumnMatch is hence given by 


S(k,p,L,L 2 ) = max{52(fc,p,7), 5i(fc,p,7,72)} and 

T(k,p,L,£ 1 ,£ 2 ) = m.ax{S2(k,p,£),S 1 (k,p,£,£ 2 ),2S 1 (k,p,£,£ 2 )-£i} ■ 
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Table 2. Exponents of time and space complexities 


level 

space 

time 

2 

1 

S 2 {k,p,i) := *frH( 2 (k+t)) 

Si (k, p, £, t 2 ) := 2S 2 {k, p, t) - £2 

max{ 

max{5i (k,p,£,£ 2 ),2Silk,p,£,e 2 ) - £1} 


Theorem 2. Let Q Gr ]]i^ x ( fc + € ) j s g and p < k + 1. Let I be a solution 
of the submatrix matching problem for Q,s. For sufficiently large p Column- 
Match finds I with probability at least | in time 0(2 T( - k ’ p ’ e ’ ei ’ e ^) and space 
0(2 s(k,p,eMf as long as < p — 2. 


Proof. We already proved the claim about the time and space complexity. It 
remains to show that ColumnMatch succeeds with probability at least 

To analyze the success probability of ColumnMatch we introduce a random 
variable X that counts the number of representations I = I\ U h of the solution 
I in lists Ci and C 2 . Our goal is to show that at least one representation survives 
in our algorithm with probability at least 

Notice that we have a total number of IZ(p) := (^) representations on level 
1. To analyze X we introduce 7 Z(p) indicator variables Xj where X/ = 1 iff 
representation I = Ii UI2 of I is contained in C\, i.e., 




1 if7r £a (Q/ 1 ) = 0 

0 otherwise 


Note that X = ^Xj. The Second Moment Method JI] now lower bounds the 
success probability Pr [X > 1] by upper bounding Pr [X = 0] = 1 — Pr [X > 1] 
using Chebyshev’s inequality 




Here the covariance has to be computed over all different representations I 7^ J 
of the solution /. Essentially, for every representation I there is exactly one 
different representation J for which Xj and X j are dependent, otherwise they 
are pairwise independent and hence Cov[Xj, Xj\ = 0. 

We write / = I 1 UI 2 with \L\ : IF] = f and analogously J = JiU J2. Notice 
that for all choices J\ 7^ / \ /1 , the random variables Xj and Xj are pairwise 
independent because Q contains randomly distributed columns. 

Let Ji = I\ I\. Since 7r(Q/) = s, we have 


^(Q/i) = ^(QjJ +sl 2 . 


If sl 2 / 0 then 7 Tl 2 (Q ) 7^ 7rz, 2 (Qji) which implies that X r Xj = 0. Therefore 
Co v[X It Xj] = E [XjXj] -E[X/]E[Xj] = -E[X/]E[Xj] < 0. Hence we can 
bound Ea.dTTl as Pr [X = 0] < 


120 A. May, A. Meurer, and E. Thomae 


Ifs L2 = 0 then ni 2 (Qp ) = (Q./, ) which implies Xj = Xj. This means that 

for every I there is exactly one J ^ I such that Cov[A/, Xj\ = Cov[Aj, Xj] = 
Var[X/]. In this case, we can bound Eo. ITTill as 

Pr[I=0]<™. 

Example 1. Consider the case k = 8 and p = 4 with Q = (qi,...,qg), 
s = 0 and / = {1,2, 5, 6}. The representations I = I 1 OI 2 = {1,5}U{2,6} 
and J = J 1 UJ 2 = {2,6}U{1,5} have identical indicator variables Xi,Xj. 
However I and K = {2,5}U{1,6} have independent indicator variables since 
Pr [ X K = l\X r = 1] = Pr [q 2 + q 5 = 0|qi + q 5 = 0] « Pr [q 2 = qi] = 2 l * = 
Pr [X K = l\. 

We further observe that 

Var[X/] = E[X f] - (E[X 7 ]) 2 = E[X 7 ] - (E[X 7 ]> 2 < E[X 7 ], 

Therefore, we obtain 

p r rv nl < 2 ^ Var f^ < 2 E/E[X 7 ] 2E[J2 I X I ] 2E[X] 2 

[ J - E[X ] 2 - E[X ] 2 - E[X ] 2 E[X ] 2 E[X] ' 

Since E[X] = 1Z(p)2~ e2 > 2 p C-°(i))-^ ) putting the restriction I 2 < P — 2 on 
the choice of the parameter 1 2 yields for large enough p 

Pr [X = 0]< 2 1 -Pd-o(l))+^ i . 

This in turn implies that our algorithm ColumnMatch succeeds in construct- 
ing at least one representation of the solution with probability at least □ 


5 Our New Decoding Algorithm 


Let us start by giving a high-level description of our new information set decoding 
algorithm which we call Decode. Let H G jp( rl - fe ) xn } ie a p ar ity check matrix 
of an [n, k. d]-code C. Assume that we want to decode x = c + e with c 6 C, 
u> := wt(e) = L^J- That means we want to find u) columns in H that sum to 
the syndrome s(x) = Hx 4 . As described in Sect. Id,. 'll we start with the initial 
transformation on the parity check matrix H and obtain the modified systematic 


H = Init(H) = U g HUp 


■ou 


This process also permutes e to e = U pe. Let p < tv be an optimization param- 
eter. We need that the w ones in e are distributed as |, §, uj — p in the coordinate 
intervals [1, ( k + £)/ 2], [( k + €)/2 + 1, k + £\, [k + i + 1, n] of e, respectively. 

Recall from Section Id. .11 that e happens to have the correct form with 
probability 
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PcolumnMatchijPi P) : — 



( 11 ) 


We now look within the submatrix QM of Q for a weiglit-p sum of the columns 
that exactly matches the projection of the syndrome to the first £ rows. 

In the Decode algorithm, we now apply our ColumnMatch algorithm to 
Ql| e J?| x ( fc +^ with the projected syndrome as target vector and a solution 
weight of p. 

In each iteration of Decode, our ColumnMatch algorithm yields with prob- 
ability at least \ ■ PcoiumnMatch{p,l ’) at least one index set /, |/| < p such that 
7 T[<](Qj) exactly matches the projected syndrome. Thus we already match the 
syndrome on l coordinates using a weight- \I\ linear combination of columns 
from Q. If the remaining coordinates of 7r(Q/) differ from the syndrome only by 
w — 1/| 1-entries, then we can correct these entries by choosing w — \I\ unit vectors 
from I n -k-£. Let us summarize our decoding algorithm by giving a pseudo-code 
description in Algorithm 2. 


Algorithm 2. Decode 

Input: Parity check matrix H E syndrome s(x) = He* with wt(e) = u). 

Output: Error e E F£ 

Parameters: p, £, £1,(2 with £ = £1 + £2 

00 Repeat 

01 Compute H <— Init(H) where H = UgHUp. 

02 For all (solutions I found by ColumnMatch(Q w , (Ugs'(x)) m , p, £1, £2)) do 

03 If wt(7r(Q/) + U G s*(x)) =w- |/| then 

04 Compute e 6 FJ by setting 

05 et = 1 V* € I 

06 e k+e+j = 1 Vj € supp(ir[„_ fc ]\[f](Qj + U G s*(x))) 

07 Output e = eUp. 


The correctness of Decode is implied by correctness of the ColumnMatch 
algorithm as we show in the following lemma. 

Lemma 1 . Decode is correct, i.e., if Decode outputs error e then He* = s(x) 
and wt (e) = u>. 

Proof. Let I be an output of ColumnMatch, i.e., |‘[^(Q/) = (Ugs*(x))[^ and 
0 < \I\ < p. Furthermore, we have 


U G He* = UgHUpS* 
= 7T(Qp)+ ' 




U GS[P] (x) 


7r [«-*]\[*](Qr +U G s t (x))y V U G s[ n _/ 


:<W. 


I = U G s*(x) . 
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Since Uc is invertible, it follows that He* = s(x). Moreover, from line 03 of 
Decode we obtain that 

wt (e) = wt(e) = |/| + wt(7r(Q/) + U G s‘(x)) = |/| + w - |/| = u>. □ 

In the remaining part of this section we explain how to derive optimal parameter 
choices for the Decode algorithm. We parametrize our code by k = c k n, u = 
c u n. We also parametrize the algorithm’s optimization parameters as l\ = c^n, 
£2 = ci 2 n and p = c p n. 

Optimal parameters for the Decode algorithm. Recall that a randomly 
permuted error e e FJ of weight wt (e) = w has the desired weight dis- 
tribution of 1-entries with probability P ColumnMatch(p > £) from Eq. (ITU as in 
the FS-ISD algorithm. Thus the inverse success probability is asymptotically 
PchumnMatchM = 0(2“") with 


Oi{c p ,c e ) = H{c u )-({c k + c e )H ( — ^ \ + (1 - Cfc - Cjg)H f —^ — — • 
\ \Ck + C(/ \l-c k -ceJJ 

For a fixed choice of the parameters £ 1,^2 and p, the asymptotic time and 
space complexities of one iteration of Decode are given by 2 T ( fc > p >^ 1 ^ 2 )" and 
2 S(k,pJ.M)n fi- om Theorem|21 In order to apply Theorem S we need to further 
ensure that £2 < P — 2, which asymptotically simplifies to c* 2 < Cp + — — > c p . 

In total, we have to solve the following optimization problem 

min{T(c fc , c p , ct, ct lt Q 2 ) + a(c p , ct t + c* a )} (OPT) 

s.t. 0 < c p < c u 

0 < Qi + Ci a < 1 - Ck - % + c p 
0 < ct, < c p 
0 < . 

We solve (ITTFTI) numerically for various code rates 0 < c k < 1. Since random 
linear codes attain the Gilbert- Varshamov bound |0| , we related the value c w for 
the maximal error-correction capability to c k by the identity c k = 1 H(2c u ). 

For every code rate 0 < c k < 1 on the x-axis we plotted the complexity of De- 
code in comparison with the FS-ISD algorithm, see Fig. Sand Fig.0 This shows 
that our Decode algorithm yields for all rates c k an exponential improvement 
over the best-known decoding algorithms FS-ISD and Ball-collision decoding. If 
we additionally plot the lower bound curve from (3 in its asymptotical form, 
then this curve lies strictly below the FS-ISD curve and strictly above our new 
curve. This shows that the representation technique in our Decode algorithm 
allows to bypass the lower bound framework from j5j . 

We obtained the worst-case complexity for c k ~ 0.47n with the parameter 
choice as stated in the following main result. 

Theorem 3. Decode recovers e in time £)(2 0 - 05363 ") and space O(2 0 021n ), 
where the optimal parameter choice is c v = q 2 = 0.006 and c = 0.028. 
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Our formulation as an optimization problem (IOP1H easily allows to specify ad- 
ditional space constraints. E.g. adding the restriction S(ck, c p , ce, ce 2 ) < 0.014 
gives us a running time of O (2 0 ' 05402 ”) using the same space O (2 0 014 ") as in 
FS-ISD/Ball-collision decoding. 



6 Experiments 

We implemented our Decode and ColumnMatch algorithms in C++ and 
tested them on three small McEliece instances with underlying [n, k, u;]-Goppa 
codes. For each instance we computed optimal parameters p,l 1,^2 (see second 
column of Table El using the exact formulas for the time and space complexities 
from Sect. [I] as well as for the respective probabilities from Eq. (II II) . We then 
carried out 10.000 experiments per McEliece instance with varying Q. We com- 
puted the target syndrome s = Qe* for an error vector e fulfilling the required 
weight distribution, i.e., we fixed p/2 coordinates to 1 in both intervals [1, %p] 
and [h±l + l,k+£\. 

Recall that our sole heuristic assumption was that Q behaves as a uniformly 
random matrix, implying that the projected partial sums 7 tl, (Q/) are distributed 
uniformly at random as well. To verify this assumption experimentally, we deter- 
mined the average list size of C\ on level 1 and compared it to the theoretically 
expected size (see columns three and four of Table 0) . 

Furthermore, we counted the number of successful iterations where the error 
vector e was found (see column five of table EJ). The results approximately match 
the theoretically predicted success probability of at least 5 for ColumnMatch. 
The slight discrepancy is due to the small value of p. 

For the sake of completeness, we also give the time per iteration as well as 
the number of repetitions P _1 that would be needed for the complete Decode 
algorithm (see columns six and seven). 

We would like to stress that the main goal of our implementation was to test 
the validity of the heuristic assumption, that Q behaves as a random matrix. 
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Table 3. Experimental results for the ColumnMatch algorithm 


[n, fc,u;] 

]p,hM 

£i theo. 

£i exp. 

success prob. 

time (ms) 

P ~ 1 

[255, 135, 15] 

[4, 11, 2] 

1369 

1369.1 

43.6% 

11 

2 s ^ 

[511, 259, 28] 

[4, 13, 2] 

4692.25 

4692.08 

44.2% 

44 

217-96 

[1024, 524, 50] 

[4, 16, 2] 

18360 

18360.4 

43.3% 

207 

2 38.74 


We did not put effort in optimizing our code for speed by e.g. using clever data 
structures or hash tables as it was done in |2j . We leave it has an open problem 
to implement an efficient version of our algorithm for determining the cut-off 
point with other variants of information set decoding, such as Stern, FS-ISD or 
Ball-collision decoding. 

Acknowledgements. The authors would like to thank Antoine Joux for useful 
discussions and Jannik Pewny for carrying out the experiments. 
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Abstract. A deniable cryptosystem allows a sender and a receiver to 
communicate over an insecure channel in such a way that the communi- 
cation is still secure even if the adversary can threaten the parties into 
revealing their internal states after the execution of the protocol. This 
is done by allowing the parties to change their internal state to make it 
look like a given ciphertext decrypts to a message different from what 
it really decrypts to. Deniable encryption was in this way introduced to 
allow to deny a message exchange and hence combat coercion. 

Depending on which parties can be coerced, the security level, the 
flavor and the number of rounds of the cryptosystem, it is possible to 
define a number of notions of deniable encryption. 

In this paper we prove that there does not exist any non-interactive 
receiver-deniable cryptosystem with better than polynomial security. This 
also shows that it is impossible to construct a non-interactive bi-deniable 
public-key encryption scheme with better than polynomial security. 
Specifically, we give an explicit bound relating the security of the scheme 
to how efficient the scheme is in terms of key size. Our impossibility result 
establishes a lower bound on the security. 

As a final contribution we give constructions of deniable public-key 
encryption schemes which establishes upper bounds on the security in 
terms of key length. There is a gap between our lower and upper bounds, 
which leaves the interesting open problem of finding the tight bounds. 


1 Introduction 

Alice and Bob live in a country ruled by an evil dictator, Eve. If Alice wants 
to communicate with Bob, standard public-key cryptography can be used by 
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Alice if she wants to keep Eve from learning the subject of her communication 
with Bob. However, if Eve controls the network she will be able to observe that 
a ciphertext is traveling from Alice to Bob. Once the evil Eve knows that a 
conversation took place, she might get suspicious and force Bob to reveal the 
content of the conversation. Can cryptography offer any help to Alice and Bob 
against such a powerful adversary? To solve this problem Canetti, Dwork, Naor 
and Ostrovsky ICDN097I introduced the notion of deniable encryption as a tool 
to combat coercion. 

Using a deniable cryptosystem Alice and Bob can communicate over an in- 
secure channel in a way such that even if Eve records the transcript of the 
communication and later coerces Alice (resp. Bob, or both) to reveal their inter- 
nal state (secret keys, randomness, . . . ), then Alice (resp. Bob, or both) has an 
efficient strategy to produce an alternative internal state that is consistent with 
the transcript and with a message different than the original one. 

Threat model: First note that deniable encryption does not help if Eve has 
physical access to Alice and Bob’s computers. In this case nothing can prevent 
Eve from seeing everything that Bob sees and therefore learn the encrypted 
message — since we want Alice and Bob to actually communicate information 
between them, this is unavoidable. On the other hand, if Alice and Bob can 
erase their secret information, they could simply lie about the content of a 
ciphertext: the standard indistinguishability security requirement implies that 
Eve cannot check whether the ciphertext is really an encryption of the message 
that Alice and Bob claim it to be. Therefore, as in KJDN 097I , we consider the 
case where the parties hand their private keys and randomness to Eve, who can 
then check that the revealed message is in fact consistent with the ciphertext 
she observed ear her. If the parties are able to produce a reasonable explanation 
for the ciphertext that Eve observes, this is enough to fight this kind of coercion. 

Sender/Receiver/Bi-Deniability: We distinguish between three kinds of denia- 
bility, according to which parties can be coerced by Eve. Note that, up to the 
number of rounds required by the protocol, sender and receiver deniability are 
equivalent: Bob can use a sender-deniable scheme to send a random key K to 
Alice, who can use it to encrypt the message M using a one-time pad and send 
back C = M®K. Now if Bob is coerced he can claim to have received a different 
message M' by using the sender-deniable property and explain the transcript as 
if it contained a different K' . 

When we consider bi-deniability, the case where Eve can coerce both Alice 
and Bob, the only coordination that we allow between Alice and Bob is to agree 
on which message to fake the ciphertext to. In particular this means that the 
parties cannot communicate to each other their internal states, when they have 
to produce a fake explanation. This seems to be the only meaningful definition: 
if Alice and Bob could communicate this information through a channel not 
controlled by Eve, why would they not use this channel to communicate the 
original message in the first place? 
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Fully- Deniable vs. Multi-Distributional: In a multi-distributional deniable cryp- 
tosystem a ciphertext produced with a “fake” encryption algorithm Ep can be 
later explained as an encryption of any message under the “standard” encryp- 
tion algorithm E. In other words, for any m, m' it is possible to find appropriate 
randomness for E, Ep such that E(m / ) = Ep(m). Note however, that Eve might 
not believe that the ciphertext was produced using E and ask to see the internal 
state for Ep and in this case the parties have no efficient strategy to lie about 
the content of the ciphertext. A fully-deniable scheme is a scheme where E = Ep 
and therefore does not present this issue. 

Public-key vs. Interactive Cryptosystems: A (receiver/sender/bi)-deniable pub- 
lic-key cryptosystem is a public-key cryptosystem that is ( receiver /sender /bi)- 
deniable. I.e., the cryptosystem consist of a public key known by the sender and 
the communication protocol consists of sending a ciphertext to the receiver. A 
generic, or interactive, cryptosystem might involve arbitrary interaction. 

Security Level: All notions of deniability can be quantified by e : N — » K + which 
measures how indistinguishable the faked states are from the honest states. As 
an example, an £-receiver-deniable public-key cryptosystem is one in which the 
faked secret key is e-indistinguishable from the honest secret key to a computa- 
tionally bounded distinguisher. We will distinguish between schemes where e is 
a negligible function and where e is of the form 1 /p, for some polynomial p. We 
will idiosyncratically say that the former kind has negligible security and the 
latter polynomial security. 

Prior Work, Our Contributions and Open Questions: Deniable encryption was 
first introduced and defined in jCDJN()«7j . They constructed a sender-deniable 
public-key cryptosystem with polynomial security, and therefore a receiver- 
deniable interactive cryptosystem. In f()PWn| O’Neill, Peikert and Waters 
showed how to construct multi-distributional bi-deniable public-key encryption 
with negligible security. This is the first scheme that achieves any kind of de- 
niability when both parties are corrupted. Recently, Diirmuth and Freeman 
announced a fully-deniable (receiver/sender)-deniable interactive cryptosystem 
with negligible security jDPlIj . However their result was later showed to be 
incorrect by Peikert and Waters. 

Our contribution to the state of the art on deniable-encryption is to derive 
upper and lower bounds on how secure a deniable public-key encryption scheme 
can be as a function of the key-size. 

Lower bounds: As for lower bounds, we have the following results. 

Receiver: We show that any public- key cryptosystem with cr-bit keys can 
be at most ^(<r + 1) _ ^receiver-deniable. 

Sender: We do not know of a non-trivial lower bound for sender-deniable 
public-key encryption. 

Bi: Since bi-deniable public- key encryption with cr-bit keys implies receiver- 
deniable public-key encryption with cr-bit keys, any public- key cryptosys- 
tem with u-bit keys can be at most ||# + l) _1 -bi-deniable. 

Upper bounds: We show three upper bounds. 
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Receiver: If we let n denote the length of the secret key of the best multi- 
distributional receiver-deniable public-key encryption scheme, then there 
exists a 1 /n-receiver-deniable public-key encryption scheme with key 
length a = 0(ti 1 2 * k). 

Sender: If we let k denote the length of the sender randomness in the best 
multi-distributional sender-deniable public-key encryption scheme, then 
there exists a 1 / n-sender-deniable public- key encryption scheme where 
the sender randomness has length a = 0(tik). 

Bi: If we let k denote the length of the secret key of the best multi- 
distributional bi-deniable public-key encryption scheme, then there ex- 
ists a 1/n-bi-deniable public- key encryption scheme with key length 
a = 0(n 4 /t). 

We phrase the upper bounds in terms of the upper bounds for multi-distributional 
schemes. The reason for this is that we do not know of any assumption which al- 
lows to construct deniable public-key encryption with polynomial security, which 
does not also allow to construct multi-distributional deniable encryption. And, 
we do not know of any direct construction of deniable public-key encryption with 
polynomial security which is more efficient than going via a multi-distributional 
scheme. It therefore seems that multi-distributional schemes are the natural 
building block for deniable public-key encryption with polynomial security. 

Our upper bounds for receiver-deniability and sender-deniability are similar to 
bounds which can be derived from constructions in jOPWllj . Our upper bound 
for bi-deniability is new. In jOPWllj a construction of a bi-deniable public-key 
encryption scheme is hinted, but no explicit construction is given which makes 
it impossible to estimate the complexity. The hinted construction is, however, 
different from the one we give here. 

Our lower bound for receiver-deniability is a generalization of a result 
in emnna, where a similar bound was proven for any so-called separable 
public-key encryption scheme. An encryption scheme being separable is, however, 
a very strong structural requirement, so it was unclear if the bound in ICDM097I 
should hold for any scheme. In fact, we have not been able to find even a conjec- 
ture in the more than a decade of literature between jODJN()97| and the present 
result that polynomial security should be optimal in general. Our proof tech- 
nique is completely different from the one in |OUJNOH7j. as we cannot make any 
structural assumption about the encryption scheme in question. 

Our work leaves a number of interesting open problems. 

1. Our proof of the upper bounds are via black-box constructions of deniable 

public-key encryption with polynomial security from multi-distributional 

deniable public-key encryption. This shows that multi-distributional deni- 
able public-key encryption is stronger than deniable public-key encryption 

with polynomial security. Is it strictly stronger, or does there exist a black- 
box construction of multi-distributional deniable public-key encryption from 
deniable public-key encryption with polynomial security? 
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Table 1. The current state of the art for deniable encryption. The first column dis- 
tinguishes between fully-deniable schemes and schemes with multi-distributional deni- 
ability. The Sender/Receiver/Bi columns contains if any construction is known; a 
“X” indicates an impossibility result; a “?” marks a question that is still open. 


Notion 

Security 

Interaction 

Sender | Receiver 

Bi 

Full-Deniability 

Negligible 

Interactive 

? 

? 

Public-key 

? 

X 

X 

Polynomial 

Public-key 

/ 

/ 

/ 

Multi-Distributional 

Negligible 

Public-key 

/ 

/ 

/ 


2. Our lower bounds do not apply to sender-deniable public-key encryption. 
Is it possible to construct sender-deniable public-key encryption with better 
than polynomial security? 

3. Our lower bounds do not apply to interactive encryption schemes. Is it pos- 
sible to construct deniable encryption schemes with better than polynomial 
security when arbitrary interaction is allowed? 

4. There is a gap between our upper and lower bounds of at least a factor 
k. Since k itself is typically, for practical purposes, a rather large number 
(multi-distributional schemes are not simple objects on themselves), this 
gap is important in practice. What are the tight bounds on the security of 
a deniable public- key encryption scheme? We conjecture that the bound is 
in the order of <r _1 . 

Non-committing encryption: Canetti, Feige, Goldreich and Naor introduced the 
notion of a non-committing cryptosystem, which is similar to the notion of a 
bi-deniable cryptosystem, but it is only required that the faking can be done 
by a simulator. This simulator is allowed to use public keys with a different 
distribution than those in the protocol. This is needed when showing adaptive 
security in simulation-based models. It is known ICES how to implement 
non-committing encryption with negligible security. Several improvements over 
the original scheme (both in terms of efficiency and assumptions) have been 
published in [Bca97 DNOO, KO04 GWZ09, CDSMW09 . 

In |JNie()2j it was shown that non-interactive non-committing encryption is im- 
possible. This does not imply the negative result we are proving here, as receiver- 
deniable public-key encryption does not imply non-committing encryption. In 
non-committing encryption both sides have to be faked. In receiver-deniable 
encryption, only the receiver has to be faked. In this sense non-committing en- 
cryption is a stronger notion than receiver-deniable encryption. But, in fact, 
the notions are incomparable, as receiver-deniable encryption on other axes is 
stronger than non-committing encryption. As an example, it can be shown that 
if a public-key encryption scheme is receiver-deniable, then the parallel composi- 
tion of the scheme where the same public key is used to encrypt many massages 
is also receiver-deniable. This is a property which non-committing encryption 
provably does not have. And, in fact, this self composition property is crucial in 
the proof of our lower bound. Also, the result in |JNie()2j addresses the case of 
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perfect non-committing encryption (the real-world and the simulated world must 
be indistinguishable). We are interested in the exact level of security which can 
be obtained i.e., given a public- key encryption scheme with a certain secret-key 
length, how deniable can the scheme be? 

Structure: In Section |2| we formally define the different flavors of deniable public- 
key encryption. In Sectional we show that receiver-deniability is maintained un- 
der parallel self-composition with at most a linear security loss. We use that fact 
to derive our lower bounds giving us the impossibility result of fully-receiver 
deniable encryption. Finally, section 0 contains our results on poly-deniable 
encryption schemes. 

2 Deniable Public-Key Encryption 

In this section we define three different notions of deniable public-key encryption 
schemes. These notions correspond respectively to an adversary with the ability 
to coerce the receiver, the sender or both parties simultaneously. We model 
coercion by letting the adversary request the secret information used in the 
encryption scheme by the coerceable parties. Deniability is obtained by letting 
the coerceable parties supply fake secret information. 


Basic Scheme. All schemes are defined based on the following definition 
of a standard public-key encryption scheme consisting of three probabilistic 
polynomial-time algorithms (G, E, D): 

— G(1 K ) generates a key-pair ( pk,sk ), where pk is the public key, sk is the 
secret key and k is the security parameter. Note that we consider sk to be 
the randomness used in G(1 K ). 

— E p k(m] r) generates a ciphertext c which is an encryption under the public 
key pk of message m £ {0, 1 using randomness r. We sometimes write 
E p k(m) to make the randomness be implicit. 

— D s fc(c) outputs the message me{0,l} ( contained in the ciphertext c. 

Let negl : N — > R + be a negligible function. For all notions defined below we 
require correctness, i.e., we require that Pr[D s / c (E p k(m)) = m] > 1 — negl(«;), and 
IND-CPA security i.e., we require that V PPT (Ai, A 2 ),3negl(-): 

Pr [{pk, sk) <— G(1 K ), (mo, mi, st) •*— Ai(pk), 

c = E pk (mb),b' <— A 2 (c, st) : b = b'] < 1/2 + negl(«) . 


Multi-distributional Encryption. We define a general form of deniable 
public-key encryption called multi-distributional deniable public-key encryption. 
Such a scheme essentially consists of two standard public-key schemes sharing a 
common decryption algorithm. 
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— The honest scheme (G, E, D) does not provide deniability in itself. 

— The fakeable scheme (Gf, Ef, D) provides deniability in the sense that, for 
a ciphertext c fake secret information can be generated. The faked secret 
information will make c appear as an encryption of any chosen message m! 
in the honest scheme. How this is done depends on the notion of deniability 
as defined below. 

For a multi-distributional deniable public-key encryption scheme to be correct 
we require standard correctness of all public-key schemes (G 7 , E', D) where G 7 e 
{G, G f } and E' e {E, E F }- 

The idea behind having two different schemes is to use the fakeable scheme to 
encrypt a message m on which the parties would like to have deniability. When 
coerced the parties simply claim that they used the honest scheme to encrypt the 
fake message m ! . This approach has two disadvantages. First, the parties must 
decide beforehand whether they later want to deny. Secondly, is the question 
of why a coercer should believe the parties, when they claim to have used the 
honest scheme. Note that we cannot guarantee deniability, if the coercer insists 
on getting the secret information used in the faking process. 

Fully-deniable Encryption. An important special case of multi-distributional 
deniable public-key encryption is fully-deniable public-key encryption (or just de- 
niable public-key encryption). This notion addresses the disadvantages of multi- 
distributional encryption mentioned above. For a fully-deniable public-key en- 
cryption scheme we have that (G, E, D) = (Gf, Ef, D), that is there are no special 
faking key generation and encryption algorithms. We will often omit the prefix 
‘fully’ for simplicity. 

Receiver-Deniability. A multi-distributional receiver-deniable public-key en- 
cryption scheme consists of five probabilistic polynomial-time algorithms 
(G, Gf, E, D, Fr). Here (G, E, D) is the honest scheme and (Gf, E, D) is the fake- 
able scheme. Notice that the honest and fakeable encryption algorithm are the 
same since faking is only done on the receiver’s side. The faking algorithm Fr is 
defined as follows: 

— For ( pk , sk) <— Gf( 1 k ) and c •*— E p k(m), Fr (sk, c, m!) generates an alternative 
secret key sk' such that D.^/ (c) = m! . 


Sender-Deniability. A multi-distributional sender-deniable public-key en- 
cryption scheme consists of five probabilistic polynomial-time algorithms 
(G, E, Ef, D, Fs). Here (G, E, D) is the honest scheme and (G, Ef, D) is the fakeable 
scheme. The faking algorithm F$ is defined as follows: 

— F$ (pk,m,r,m') generates alternative randomness r' such that Ef pk (m;r) = 
E P k(m';r'). 
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Bi-Deniability. We assume here to be in a setting where receiver and sender 
have individual faking algorithms. This models the fact that, after an initial 
stage where the parties can agree on which message to fake to, the sender and 
the receiver cannot communicate over a channel that is not controlled by the 
adversary — otherwise they could be using this channel to communicate the mes- 
sage m in the first place. 

A multi-distributional bi-deniable public-key encryption scheme consists of seven 
probabilistic polynomial-time algorithms (G, Gf, E, Ef, D, Fr, Fs). The faking al- 
gorithms Fr and F$ are defined similar to the receiver-deniable and sender- 
deniable notions respectively, that is: 

— For ( pk,sk ) <— Gf( 1 k ) and c <— Ef J( / c ( m) , Fr(s/c, c, to') generates an alterna- 
tive secret key sk' such that D s fc/(c) = m! . 

— Fs(pk,m,r,m') generates alternative randomness r' such that Ef pk (rn: r) = 
E pk (m';r'). 


2.1 Security Notions 

The security notions of the three schemes above, are defined in terms of the 
following experiments performed with an adversary A = (Ai, A 2 ), where to, m! £ 
{ 0 , 1 }*. 


Honest Game (Receiver) 

Faking Game (Receiver) 

(pk, sk) <— G(1 K ) 

(pk,sk) «- G F (1 K ) 

(to, to', st) <- A]_(pk) 

(to, to', st) <— Ai(pk) 

c<- E P k(tn';r) 

c <— E p k(m; r) 


sk' <— Fr (sk,c,m r ) 

b <— A 2 (st, c, sk) 

b <— A 2 (st, c, sk 1 ) 


Honest Game (Sender) 

Faking Game (Sender) 

(pk, sk) <— G(1 K ) 

(pk,sk) <- G(1 K ) 

(to, to', st) <— Ai(pk) 

(to, vn! , st) <— Ai(pk) 

c <— E pk (m'-,r) 

c * E Fpfe (TO;r) 


r' <— Fs(pk,m,r,m') 

b <— A 2 (st, c,r) 

b <— A 2 (st, c, r') 


Honest Game (Bi) 

Faking Game (Bi) 

(pk, sk) <— G(1 K ) 

(pk, sk) <— G f ( 1 k ) 

(to, m! , st) <— Ai(pk) 

(to, m'jSt) <— A\(pk) 

c<- E pk (m!-,r) 

E Fpk (m-,r) 


sk ’ <— Fr (sk,c,m!) 


r 1 <— F$ (pk, to, r, to ') 

b <— A 2 (st, c, sk, r) 

b <— A 2 (st, c, sk', r 1 ) 


Let Ha(k) and Ja(k) be the random variables describing b when running 
the honest game and faking game respectively with security parameter k. The 
advantage of A is 
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AdVA(/c) = |M«)-/A(«)| • 

We say that a scheme is (receiver/sender/bi)-deniable if Adv^ is negligible in k for 
any efficient A. Let e : N — > M + . We say that a scheme is e-(receiver/sender/bi)- 
deniable if AdvA(«) < s(k) +negl(K). 


2.2 Full Bi-deniablity Implies Full Sender /Receiver-Deniability 

Any fully bi-deniable scheme can trivially be turned into both a receiver-deniable 
and a sender-deniable scheme. On the surface this seems obvious, if both parties 
can fake then they should be able to fake individually as well. Surprisingly, 
however, this conclusion cannot be drawn in the multi-distributional setting — in 
jOPWl lj the authors show that in this setting bi-deniability does imply sender 
deniability but not receiver deniability. As stated in Lemma 0 similar subtleties 
do not arise in the fully-deniable case. A proof of this can be found in the full 
version. 

Lemma 1. If (G, E, D, Fr, Fs) is a fully e-bi-deniable encryption scheme, then 
(G, E, D, Fs) is a fully e-sender-deniable encryption scheme and (G, E, D, Fr) is 
a fully e-receiver-deniable encryption scheme. 


3 Impossibility of Fully Receiver/Bi-deniable Encryption 

In this section we prove the impossibility of fully receiver-deniable and fully 
bi-deniable public-key encryption with better than inverse polynomial security. 
Since, by Lemma G1 any fully bi-deniable public-key encryption scheme is also 
a fully receiver-deniable public-key encryption scheme, it is sufficient to prove 
impossibility of fully receiver-deniable public-key encryption. It turns out that 
the impossibility follows readily from the fact that full receiver-deniability is 
preserved under parallel self-composition with only a linear security loss. 

We will use a slightly modified definition of receiver-deniability. Recall that in 
the definition from section |2| the faking algorithm Fr is invoked as Fr (sk,c,m'), 
especially it is not given the sender’s randomness r. In this section we will allow 
Fr to have access to r, that is Fr is invoked as Fr (sk,m,r,m'). Since we are 
proving an impossibility result, this does not weaken the result. 

3.1 Security of Parallel Self-composition 

Let (G, E, D, Fr) be any receiver-deniable public-key cryptosystem. Let n : N — > 
N be a polynomial in the security parameter k. We define the parallel self- 
composition (G", E", D", Fr") as follows: 
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G n (l^G(l“) 

Epfc(mi, . . ...,r„) = (E pfc (mi; n), . . . , E pk (m n ;r n )) 

D"fc(c 1: . . ■ , Cn) = (D s fe(d), . . . , D s fc(Cn)) 

F R n (sfc, (mi, . . . , m„), (n, . . . , r„), (mi, . . . , m^)) = sfc' , 
where sko = sfe, s/c* <— FR(sfej_i, m», r,, m^) for * = J, . . . , n and sk n = sk'. 

Lemma 2. 7/ (G, E, D, Fr) is e -receiver- deniable, then (G”, E”, D”, Fr”) is ne- 
receiver- deniable. 

Proof. Let A” = (A” , A£) be any probabilistic polynomial-time attacker against 
(G”, E", D”, Fr”). For h = we construct from A" a probabilistic 

polynomial-time attacker A /, = (A/,.i, A/,.a) against (G,E, D, Fr). We can then 
describe the advantage of A” in terms of the advantages of A/, for h = 1, . . . , n. 
Since, by assumption on (G, E, D, Fr), we have a bound on the advantage of each 
A h, this gives us the bound on the advantage of A". The attacker A/, runs as 
follows: 

1. A/,,1: Receives pk. 

2. A/, ;1 : Input pk to A" and run A" to obtain (mi, . . . , m n ), (mi, . . . , m' n ) and 
state sfA n - 

3. A/,,1 : For i= 1, . . . , h — 1, sample % •*— E p k{m'f). 

4. A/,,i: Output ( mh,m' h ,stA h ) where st\ h = ((mi, . . . , m n ), (mi, . . . ,m' n ), 
StA”4ci,...,C h -i)). 

5. Ah t 2- Receive ( stA h ,c,sk ). Let c/, = c and skh = sk. 

6. A^, 2 : Fori = h+ 1, . . . ,n, sample Cj <— E p fc(mj;rj) andsfc, <— FR(s/c i _i,m,,r i , 

7. A/,,2: Input (stA n , (ci, . . . , c n ),sk n ) to A" and run it to obtain a bit b € {0, 1}. 

8. A h,2- Output b. 

Let 6° be the distribution of the bit b output by A/, when run in the honest 
game and let b l h be the distribution of the bit b output by A?, when run in the 
faking game. 

When Ah is run in the honest game, then sk n is computed from an honest 
secret key skh as ski FR(sA;j_i,mj,rj,mi) for i = h + 1, . . . , n. When A/, is 
run in the faking game, then sk n is computed from an honest secret key skh - 1 
as ski *— Fr (ski— i ■ m , , , m' ) for i = h,...,n, where the first computation 

skh Fr (skh-i,mh,rh,m' h ) is performed by the faking game before skh is 
input to A h- It follows that when A/, is run in the honest game and A/ i+1 is run 
in the faking game, the values input to A" have identical distributions, so b l h = 
6°_ 1 . Let AdvA h denote the advantage of A /, against (G, E, D, Fr) and AdvA” 
be the advantage of A" against (G", E", D”, Fr”). We then have by definition 
AdvA fc («) = |£>° — and by construction AdvA"(«:) = |6° — b\\, where k is the 
security parameter. It then follows using telescoping and the triangle inequality 
that AdvA"(«) < n£ ( K ) + negl/, ( k) . where all negl,, are negligible in k. The 
lemma then follows from the fact that the sum of polynomially many negligible 
functions is negligible. □ 
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Notice that Lemma El means that a faked secret key sk n , resulting from Fr", 
must somehow remember the faking of each ciphertext involved in the process. 
In other words sk n must not only fake a single ciphertext, it must ensure that 
every ciphertext c, decrypts to the faked message m\ with high probability. To 
see why consider the efficient adversary A of the receiver-deniable game against 
(G", E", D", Fr") that simply outputs 6 = 1 if m( = D„fe(cj) for all * = 1 ,n 
and 6=0 otherwise. By correctness of the encryption scheme and by Lemma El 
the above property of sk n becomes clear. 

Let s be a bit string of length n. In the proof of the following theorem we 
use this property to show how to associate each bit of s with a faking of a 
ciphertext and thus how to store s in the memory of the faked secret key sk n . 
The impossibility result arises from the fact that this can be done even for 
random s longer than sk n . 

3.2 Lower Bound 

We here show a lower bound on e in an e-receiver-deniable encryption scheme. 
This bound immediately gives that one cannot obtain better than polynomial 
security. The bound is stated formally in the following theorem: 

Theorem 1. Let (G, E, D, Fr) be e-receiver deniable, and let a be an upper bound 
on the length of the secret keys o/(G,E,D,Fr), including the faked ones. Then 
e > |(<t + l) -1 - negl(«). 

Proof. We reach our bound via impossibility of compressing uniformly random 
data. Let n = a+l. We can assume that (G, E, D, Fr) can encrypt at least one bit, 
so (G", E", D", Fr") can encrypt n-bit messages. Furthermore (G", E", D", Fr") 
is ne-receiver-deniable. 

Consider the following communication protocol parametrized by n. Here is 
how the sender works: 

1. Sample ( pk,sk ) *— G"(1 K ). 

2. Sample uniformly random m' <— {0, 1}" and let m = 0". 

3. Sample c <— E p fe (m; r). 

4. Let sk' *— Fr n (sk,m,r,m'). 

5. Send ( c,sk '). 

On receiving (c, sk 1 ) the receiver outputs m" = D" fc ,(c). 

To bound the probability that this protocol fails i.e., that m" m! , consider 
the following adversary A = (A-( , A 2 ) for the receiver-deniable security games 
against (G", E", D", Fr"). On input pk Ai outputs (m, rn' , st), where the mes- 
sages m and m' are sampled as in step El of the sender algorithm above. The 
state st is set to be m! . On input (st, c, sk') A 2 computes D" fe , (c) = m" and 
outputs 1 if m" = rn' = st and 0 otherwise. Now notice that steps mi of the 
sender algorithm above correspond to the first four steps of the receiver-deniable 
faking game against A. That is the probability that the communication protocol 
fails i.e., that rn" m', is exactly the same as A 2 outputting 0 in the faking 
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game. In the honest game we have by correctness of (G", E n . D". Fr”) that A2 
only outputs 0 with negligible probability. Thus by ne-receiver deniability we 
have Pr [m" ^ m'\ < ne(n) + negl(«;). We later use this bound on the correctness 
of the communication protocol to derive our bound, but first we transform the 
protocol a bit. 

For each k, let r K be the value which minimizes the probability that rn" ^ m! 
when c K = E p fc(O n ; r K ) . Consider then the following non-uniform communication 
protocol parametrized by k. Here is how the sender works: 

1. Sample ( pk,sk ) <— G(l re ). 

2. Sample m! <— {0, 1}". 

3. Let sk' f— FR(sfc,0",r re ,m / ). 

4. Send sk' . 

The receiver outputs m" = D s k'(c K ), where c K = E r) *.(0; r K ). Note that r K and c K 
are hardwired into the protocol and is therefore not communicated as part of the 
protocol. We still have that Pr [m" 7^ m'] < ne(«;)-Fiiegl(/c). Using that n = a + 1 
we get that (a + 1 )e{k) > 1 — Pr \m" = m'] — negl(«). From incompressibility 
of uniformly random data it follows that Pr \m" = m'] < 2 cr_n = 2 -1 , as the 
protocol sends only sk' , which is at most cr bits long and because rn! is uniformly 
random and n = a + 1 bits long. Combining these bounds we get that s(k) > 
+ l) -1 — negl(«). □ 

In words, this bound says that any public-key cryptosystem with cr-bit keys 
can be be at most + l) _1 -receiver-deniable. Thus to get negligible receiver- 
deniability keys must be superpolynomial in size. This however would contradict 
the key generation algorithm being polynomial-time as required by our definition 
of a public-key cryptosystem. 

4 From Multi-distributional to Poly Deniability 

We now give explicit constructions of poly- (sender/receiver /bi)-deniable public- 
key encryption schemes from any multi-distributional (sender/reciever/bi)- 
deniable public-key encryption scheme respectively. As in |CDJNI()f)7l RlPWllj . 
the basic idea in all these constructions is to encrypt a message bit b by first 
writing it as b = ©” =1 h for random 6,’s, and then encrypting each b t indepen- 
dently using randomly either the honest or the fakeable encryption scheme. To 
fake we just have to identify an index j where the fakeable scheme was used 
and use the corresponding faking algorithm. This is no problem for sender and 
receiver deniablility since in those cases whoever is running the faking algorithm 
knows exactly on which indices the fakeable scheme was used. The bi-deniable 
case however is more challenging because sender and receiver must agree on an 
index j where they both used the fakeable scheme. As discussed in the intro- 
duction, a different solution for this problem was hinted in IOPW111 . All the 
constructions are for bit encryption: for longer plaintext space one can simply 
run the scheme in parallel. 
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In the following subsections we will need two technical lemmas which we 
state here. Let a randomized encoding E be a randomized function from {0,1} 
to {0, 1}". Consider the following game D(A, E ) between a randomized encoding 
E and an adversary A (an interactive Turing machine): 

1. Run A to make it output a bit b G {0, 1}. 

2. Sample (6i, . . . , b n ) <— E(b). 

3. Input b n ) to A and run it to produce a guess g G {0, 1}. 

4. Output g. 

We define the advantage of A in distinguishing two randomized encodings E$ 
and E x to be Adv A (£ 0 ,Fi) = | Pr p(A,F 0 ) = 0] - Pr [D(A,Ei) = 0] |. Notice 
that if we fix 6, then Eo(b) and E\{b) are random variables, making the statis- 
tical distance between them well-defined. Let at, denote the statistical distance 
between Eo(b) and E\ (6) and let <j(Eo, Ex) = max(cro, ai). 

Lemma 3. It holds for all adversaries A and all randomized encodings Eq and 
Ex that AAva^Eo, Ex) < a(E 0 ,Ei). 

Lemma 4. Let s = 1,2,... be a parameter. Let N : N — > N, where N s = N(s) 
is the number of samples at setting s. For each s, let 



—p with probability q 

q with probability p 

0 with probability 1 — p — q 


where p and q might be functions of s. Let X 8 ,i , . . . ,X s>Na be N s i.i.d. variables, 


distributed according to D s . Let X s = Yli^i X s ,i and let S s = Pr [X s G [0, } )] . 


Then 



The first lemma is trivial to prove, and the second follows directly from the 
Berry-Esseen inequality jKSKlj . Full proofs can be found in the full version. 

4.1 Poly-Sender-Deniability 

As a warm up we show that a multi-distributional sender-deniable scheme implies 
a poly-sender-deniable scheme. From a scheme (G, E, Ep, D, Fs) we produce a 
scheme (G', E', D', Fs / ) which encrypts a single bit b. The produced scheme is 
basically the Parity Scheme of jCDJN()f)7j only whereas our scheme is based on 
a multi-distributional sender-deniable scheme, the scheme in ptJL)JNOH71 is based 
on a so-called translucent set. 

Key Generation G / (1 K ): Output ( pk,sk ) <— G(1 K ). 

Encryption E' pk (b): Sample a uniformly random index j G {0, . . . , n} so that j 
is even for b = 0 and odd for 6=1. For i = 1, . . . n do the following. 

1. For i < j sample c,; <— Ef pk (l\ rf). 
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2. For i > j sample c,; <— E p fc(0; rj). 

Output C = (cj)" =1 . 

Decryption D^ fc ((7): Parse C as (cj)" =1 . Compute 6j = D s fc(cj) for i = 1, . . . , n 
and output b = ®" =1 6j. 

Fake Fs'fpfc, b, (j, (r^) ■L :1 ). 6 7 ): If b = b' output (j, (f*)!=i)- Otherwise let r 7 = 
Fs(pfc, 1, rj, 0) and j' = j — 1. Let all r' = r* for i ^ j and output ( j (r-)” =1 ). 

Theorem 2. If (G, E, Ep, D, Fs) is multi- distributional sender-deniable, then 
(G 7 , E 7 , D 7 , Fs 7 ) is 4/ n- sender- deniable. 

Proof. Correctness and semantic security is obvious. To prove poly-sender- 
deniability we first consider the following hybrid game Hi. 

Hi proceeds exactly as the faking game for sender-deniability only it modifies 
the faking algorithm Fs 7 by simply sampling r 7 - as randomness for the honest 
encryption algorithm E, and replaces the ciphertext C = (ci)” =1 with C = 
(c')” =1 where c 7 - = E pfc (0; r 7 ) and c 7 = Ci for all i ^ j. Notice that the Hi only 
changes the distribution of r 7 and c 7 -, the distribution of all other inputs to the 
adversary remains the same. In other words distinguishing the two games comes 
down to distinguishing an honest encryption of 0 from an encryption faked to 
an honest encryption of 0. Thus by the multi-distributional sender-deniability of 
(G, E, Ep, D, Fs) the advantage of any adversary in distinguishing the two games 
will be negligible in k. 

Now consider another hybrid game f? 2 - Hi proceeds exactly as the honest 
game for sender-deniability except that it modifies the encryption algorithm 
E 7 by picking j in the following way: first it picks a uniformly random index 
j G n} such that i is odd for 6=0 and even for 6 = 1 (i.e., the opposite 

of how E 7 picks j) and then sets j = i — 1. Notice now that Hi outputs exactly the 
same as Hi to the adversary only the output is generated in a slightly different 
order. I.e., Hi and Hi are perfectly indistinguishable. However since Hi proceeds 
exactly as the honest game, except that it picks j from a different distribution, 
distinguishing Hi from the honest game comes down to distinguishing the two 
different distributions of j. 

In order to utilize Lemma 01 we can view these distributions as randomized 
encodings. Let us denote by Eq and Ei the encodings that encodes a bit 6 as j 
l’s followed by n — j 0’s. For Eq j is sampled as in the honest game where the 
adversary outputs 6 and for E\ j is sampled as in the hybrid game Hi where 
the adversary outputs 6. If j = —1 in the hybrid game E\ will encode this as 
a special string, say a 0 followed by n — 1 l’s. First notice that for 6 = 0 both 
games sample j uniformly random in {0, 2,4,..., n— 1}, i.e., ao = 0. However for 
6=1 the honest game samples j uniformly random in {1,3,5,..., rz} whereas 
Hi samples uniformly random in {—1, 1, 3, . . . , n — 2}. Thus clearly ai = 4/n. 

Now by Lemma 0 we have that any adversary has advantage at most 4/n 
in distinguishing the honest game from Hi. By the above hybrid argument it 
follows that any adversary has advantage at most 4/n + negl(n) in distinguishing 
the honest game from the faking game. I.e., (G, E, Ep, D, Fs) is 4/n-deniable. □ 
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4.2 Poly-Receiver-Deniability 

We show that a multi-distributional receiver-deniable scheme implies a poly- 
receiver-deniable scheme. From a scheme (G, Gf, E, D, Fr) we produce a scheme 
(G 7 , E 7 , D 7 , Fr 7 ) which encrypts a single bit b. 

Key generation G 7 (l*): For i = 1 ,n sample uniformly random bits a* £ 
{0, 1} and then sample ( pki , skf) <— G°‘ , where G° = G and G 1 = Gf- Output 
(. PK,SK ) = ((pfcj)? =lt {sfci,ai)? = i). 

Encryption E' PK (b): Parse PK as (pfcj)" =1 . For i = — 1, sample 6,; 

uniformly at random and let b n = b ® ®" 1 6, , compute c, <— E p ki(bi) and 
output C = (ci)? =v 

Decryption E)’ SK (C): Parse SK as (ski, a i)i= i and C as (cj)” =1 . Compute bi = 
Dsfci (cj) for * = 1, . . . , n and output b = ®" =1 bi. 

Fake F R '(SK, C, b')\ If b' = D ’ SK (C) output SK. Otherwise parse SK as 
(ski, and C as (c;)™ =1 . Pick a uniformly random index i for which 

a» = 1, compute 6* = Dg^^Cj) and let sk \ = Fr ( sfej,Cj, 1 — &,) and = 0. 
For all j / L let skj = skj and a 7 - = a :j . Output .S' A" 7 = (sfc 7 -, a 7 )" =1 . 

If k is they key length of the underlying scheme then the above scheme has keys 
of length nK,. The following result then implies that one can build a 1/n-receiver 
deniable scheme with keys of size a = 0 (ti 2 k). 

Theorem 3. If (G, Gf, E, D, Fr) is multi- distributional receiver- deniable, then 
(G 7 , E 7 , D 7 , Fr 7 ) is ( n — l) -1 / 2 -receiver-deniable. 

Proof. In the following we assume for simplicity that n is odd, a similar analysis 
can be made in the case of n even. Correctness and semantic security is obvi- 
ous. Using a hybrid argument, the distinguishing probability of any poly-time 
adversary against the above scheme is negligible close to the best distinguishing 
advantage between the two randomized encoding Eq and E\ defined as follows: 

1. Eo(b) = (bi , . . . , b n ), where the bi £ {0,1} are uniformly random and inde- 
pendent except that b = ®” = i 

2. Ei(b) = ( &i,..., 6„ ) is sampled as follows. First sample b) £ {0,1} as in 
E 0 (b ® 1). Then, if K = 0, let (b\, . . . ,b n ) = (b[, . . . , b' n ). Otherwise, pick 
a uniformly random j £ {1, . . . , n} for which 6} = 1 and then let bj = 0 and 
let bi = b\ for i ^ j. 

The event = 0 happens with negligible probability, so we can analyze 

under the assumption that this does not happen. In that case the bits b n and 
b' n can be computed as b n = b © 0"=/ bi respectively b' n = b ® ®’}T 1 1 6 7 . So, 
one can distinguish D 0 (b) = (&i, . . . , 6„_i) and D\(b) = (&},..., b with the 
same advantage as one can distinguish Eo(b) and E\ ( b) . The distribution Do(b) 
consists of n — 1 uniformly random bits. The distribution D\ ( b ) consists of n - I 
uniformly random bits, where we flipped a random occurence of 1 to 0. For 
b £ {0, l}" -1 , let #i (b) = h be the number of l’s in the vector and let 

#o (b) = n— 1— #i(b) be the number of 0’s. By the symmetry of the distributions, 
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it is easy to see that one can distinguish #i(A( 6)) and #i(A(6)) with the 
same advantage as one can distinguish A (6) and Dt{b). Since (AGO) is 
binomially distributed with expectation and (A (6)) = A (AGO) — 1, 
it follows that an optimal distinguisher for #i(AG 0) and #i(AG0) is to guess 
0 if (D) > r± ^ L and guess 1 otherwise, as this is a maximum likelyhood 
distinguisher. The advantage of this distinguisher is 


Adv = i |pr [#a(Z? 0 (6)) > - Pr [#i(AG0) > | 

- \ |Pr [#i(AG0) > - Pr [#i (A)W) >^ + l] 


From #i(A(6)) = (n - 1) - # 0 (AGO), we get that 2#i(AG0) = #i(AG0) + 
(n - 1) - #o(AG0), so #i(A(6)) = ^ + |(#i(A(6)) - #o(AG0)), and it 
follows that 


Adv = ^Pr [i(#i(A(6)) - #o(AG0)) € [-^ 0] 

= ipr[i# 1 (A(6))-^#o(A(6))e [o,0] . 

The last equality follows from n being odd. Consider then Lemma 0 with p = 
q = \ and N s = s — 1. The variable X s in the premise then has exactly the same 
distribution as |#i(A(6)) — |#o(A(6)) when s = n. Plugging p = q= | and 
N s = n — 1 into Lemma0| we get that Pr [|#i(AG 0) — A#o(AG0) G [0, i)] < 
-JL= n 


4.3 Poly-Bi-Deniability 

We show that a multi-distributional bi-deniable scheme implies a poly-bi- 
deniable scheme. From a scheme (G, Gf, E, Ef, D, Fs, Fr) we produce a scheme 
(G', E 7 , D 7 , Fs 7 , Fr 7 ) which encrypts a single bit. 

Key generation G 7 (1 K ): For i = 1 , . . . , n 2 sample random bits a% G {0,1} 
and then sample ( pki,ski ) <— G 0i (l K ), where G° = G and G 1 = Gf- Sam- 
ple the dj’s independently with Pr [a t = 0] = 1 / n. Output ( PK,SK ) = 
((pfci)r=i,(A,<b)”Ii)- 

Encryption E' PK (b): Parse PK as (p/c,;)"=i . For i = 1, . . . ,n 2 

1. Sample uniformly random Gr {0, 1} and raj Gr {0, 1} K such that 

6 = ©r=i h. 

2. Compute c, <— E^ fei (m(, r*), where m\ = (0 m* = 0 K and lm* = mj), 

E° = E and E 1 = i F . 

Output C = (cj)"^i- 
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Decryption D , SX (C): Parse SK as and C as (c,)"^. For i = 

1, . . . , n 2 , compute to' = D s fc(cj) and let 6' = 1 if m' 0 and 6' = 0 if 
m'i = 0. Output b = ®" =1 b\. 

Fake (sender) V${PK, b, (r», m;, 6^)"/^, 6'): If b = 6' output 

Otherwise parse PAT as (pfcj)" =1 . Let m' = iriin{m' = bj/rnfi 6(1,..., n 2 } A 
to' ^ 0 K } and pick the unique (ewnp.) index k for which m' k = b k mk = m' 
(notice this implies b k = 1)- Le., k is the index of the Cj containing the small- 
est non-zero plaintext. The minimum is taken according to lexicographic or- 
der. Then let r' k = Fs(pkk,m k ,rk,0 K ), m' k = rn k and b' k = 0. For all j ^ k, 
let r'- = Tj, mb = my and 6'- = bj. Output fry . my, 6j )" =1 . 

Fake (receiver) F R \SK,C,b'): If F)' SK {C) = b' output SK. Otherwise parse 
SK as (ski, ai)" =1 and C as (cj)” =1 and compute to' = D s /-(cj). Let w! = 
min{m' |i 6 (I , n 2 } A to' ^ 0 K } and pick the unique (ewnp.) index k for 
which m' k = m! . I.e., k is the index of the c,; containing the smallest non-zero 
plaintext. The minimum is taken according to lexicographic order. If = 0, 
then give up. If ak = 1, then let sk' k = Ffdsk k . c k . 0 K ) and a' k = 0. For all 
j 7^ k, let skj = skj and a'- = a,j. Output SK' = (skj, a' )” =1 . 

Theorem 4. If (G, Gf, E, E r , D, Fs, Fr) is multi- distributional bi-deniable, then 
(G', E', D', F s ', Fr') is Ofa- 1 ! 2 ) -bi-deniable. 

Proof. Correctness follows by observing that b\ = bi unless one of the uniformly 
random re-bit messages m* happens to be 0 K , which is a negligible event. Semantic 
security is obvious. As for bi-deniability, by a hybrid argument similar to that 
in the proofs of Thm. |5|and Thm. 0 distinguishing the honest and faking game 
comes down to distinguishing the following two random encodings of a bit b. 

1. Eo(b) = (&i, . . . , b n 2 , ai, . . . , a n z), where the bi £ {0,1} are sampled uni- 
formly at random except that ©” =1 bi = b and the a t £ {0,1} are sampled 
such that Pr[dj = 0] = 1/n. 

2. E\(b) = (6i , . . ■ ,b n 2, ai, . . . , a n 2 ) is sampled as follows. First sample 6', a' £ 
{0, 1} as in E 0 (b © 1). Then, if 6' = 0, let (bi , . . . , 6„a) = (6}, . . . , b' n2 ). 
Otherwise, pick a uniformly random k £ {1 , . . . , n 2 } for which b' k = 1 and then 
let bk = 0 and let bk = b' k for i k. If a’ k — 1 let a k = 0 and let a, = a' for 
i k. 

It happens that a’ k = 0 with probability 1/n, so by adding 1/n to the bound in 
the end, we can analyse under the assumption that a k = 1 . In that case we can 
describe E\ ( b ) as above, except that we pick k uniformly at random among the 
V s for which b\ = 1 and a' = 1. Then we set bk = 0 and a k = 0 and set b,^ k = K 
and a^k — 

Given a vector v = (&i, . . . , b n 2 , a ±, . . . , a n 2), we let #00 (v) be the number 
of rs for which b t = a-i = 0 and we let #n (v) be the number of V s for which 
bi = ai = 1. For simplicity we assume that b is uniformly random, such that 
6-1 , , b n 2 is uniform in {0,1}" . Deriving the same bound for fixed 6 = 0 
and 6 = 1 is straight-forward. Let p = A. be the probability that a t = 0 
and bi = 0. Let q = be the probability that a, = 1 and 6* = 1. The 
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expected value of #oo(Eo(b}) is pn 2 . The expected value of #n (Eo(b)) is qn 2 , 
and #oo(Ei(b)) = #oo(E 0 (b)) + 1 and #n(Ui(6)) = #n(U 0 (&)) - 1. From this 
it can be derived as in the proof of Thm. [3 t hat the maximum likelihood distin- 
guisher for E 0 (b) and Ei (b) guesses 0 if <?#oo — P#n > 0 and that its advantage 
is i Pr [q# 00 (E 0 (b)) — p#u(Ei(b)) £ [0, |)]. Using Lemma 0] as in the proof of 
Thm. 0 with s = n, N s = s 2 and the p and q defined above, it follows that 

Pi [q#oo{Ea[b)) — p#u{Ei(b)) £ [0, -)] < (V2 + . 

The theorem then follows from v/2 H — \= <2. □ 

v 7r 
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Abstract. Broadcast encryption (BE) schemes allow a sender to se- 
curely broadcast to any subset of members but requires a trusted party 
to distribute decryption keys. Group key agreement (GKA) protocols en- 
able a group of members to negotiate a common encryption key via open 
networks so that only the members can decrypt the ciphertexts encrypted 
under the shared encryption key, but a sender cannot exclude any partic- 
ular member from decrypting the ciphertexts. In this paper, we bridge 
these two notions with a hybrid primitive referred to as contributory 
broadcast encryption (CBE). In this new primitive, a group of members 
negotiate a common public encryption key while each member holds a 
decryption key. A sender seeing the public group encryption key can 
limit the decryption to a subset of members of his choice. Following this 
model, we propose a CBE scheme with short ciphertexts. The scheme is 
proven to be fully collusion-resistant under the decision n-Bilinear Diffie- 
Hellman Exponentiation (BDHE) assumption in the standard model. We 
also illustrate a variant in which the communication and computation 
complexity is sub-linear with the group size. Of independent interest, 
we present a new BE scheme that is aggregatable. The aggregatability 
property is shown to be useful to construct advanced protocols. 

Keywords: Broadcast encryption; Group key agreement; Contributory 
broadcast encryption; Provable Security. 


1 Introduction 

With the fast advance and pervasive deployment of the communication tech- 
nologies, there is an increasing demand of versatile cryptographic primitives 
to protect modern communication and computation platforms. These new plat- 
forms, including instant-messaging tools, collaborative computing, mobile ad hoc 
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networks and social networks, allow exchanging data within any subset of their 
users. These new information technologies provide potential opportunities for or- 
ganizations and individuals. For instance, the users of a social network may wish 
to share their private photos/videos with their friends; scientists from different 
places may want to collaborate in a research project by means of an insecure 
third-party platform. 

These new applications call for cryptographic primitives allowing a sender to 
securely encrypt to any subset of the users of the services without relying on a 
fully trusted dealer. Broadcast encryption (BE) [03 is a well-studied primitive 
intended for secure group-oriented communications. It allows a sender to securely 
broadcast to any subset of the group members. Nevertheless, its security heavily 
relies on a trusted key server to generate and distribute secret decryption keys 
for the members; both the sender and the receivers must fully trust the key 
server who can read all communications to any subset of the group members. 

Group key agreement (GKA) |2D| is another well-established primitive to se- 
cure group-oriented communications. A conventional GKA protocol allows a 
group of members to establish a common secret key via open networks. How- 
ever, whenever a sender wants to broadcast to a group, he must first join the 
group and rim a GKA protocol to share a secret key with the intended members. 
To overcome this limitation, Wu et al. recently introduced asymmetric GKA E2 
in which only a common group public key is negotiated and each group mem- 
ber holds a different decryption key. However, neither conventional symmetric 
GKA nor newly-introduced asymmetric GKA allows the sender to exclude any 
particular member on demand B Hence, it is essential to find more flexible cryp- 
tographic primitives allowing dynamic broadcasts without a fully trusted dealer. 


1.1 Our Contributions 

In this paper we present the Contributory Broadcast Encryption (CBE) prim- 
itive, which is a hybrid of GKA and BE. The new cryptographic primitive is 
motivated by the emerging communication and computation platforms. In CBE, 
a group of members contribute to the public group encryption key, and a sender 
can securely broadcast to any subset of the group members chosen in an ad hoc 
way. Specifically, our main contributions can be summarized as follows. 

First, we present a model of CBE and formalize its security definitions. CBE 
incorporates the underlying ideas of GKA and BE. In the set-up stage of a CBE 
scheme, a group of members interact via open networks to negotiate a common 
encryption key while each member holds a different secret decryption key. Using 
the common encryption key, anyone can encrypt any message to any subset of 
the group members and only the intended receivers can decrypt. Unlike GKA, 
CBE allows the sender to exclude some members from reading the ciphertexts. 

1 Dynamic GKA equipped with a leave sub-protocol allows a sender to exclude some 
members from decrypting ciphertexts. In this case, the sender has to negotiate with 
the remaining members for their agreement to run the leave sub-protocol. The sender 
cannot exclude any member on his own demand. 
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Compared to BE, CBE does not need a fully trusted third party to set up 
the system. We formalize collusion resistance by defining an attacker who can 
adaptively corrupt some members during the set-up stage and can also query 
the decryption keys of the group members after the system is set up. Even if the 
attacker fully controls all members outside the intended receivers, she cannot 
extract useful information from the ciphertext. A trivial CBE scheme can be 
constructed by concurrently encrypting to each member with her/his regular 
public key. Unfortunately, the trivial solution incurs a heavy encryption cost 
and produces linear-size ciphertexts. The challenge is to design CBE schemes 
with efficient encryption and short ciphertexts. 

Second, we present the notion of aggregatable broadcast encryption (ABE) 
and construct a concrete ABE scheme. The construction is based on the newly 
introduced aggregatable signature-based broadcast (ASBB) primitive ET2| . Our 
ABE construction is tightly proven to be fully collusion-resistant under the 
decision BDHE assumption, and offers short ciphertexts and efficient encryp- 
tion. Further, the proposed ABE scheme is equipped with aggregatability, which 
means that different instances of the ABE scheme can be aggregated into a new 
instance. We observe that the BE schemes in the literature are not aggregat- 
able. However, the aggregatability of ABE schemes seems very useful to design 
advanced protocols, as illustrated in the construction of our CBE scheme. 

Finally, we construct an efficient CBE scheme with our ABE scheme as a 
building block. The CBE construction is proven to be semi-adaptively secure 
under the decision BDHE assumption in the standard model. Only one round is 
required to establish the public group encryption key and set up the CBE system. 
After the system set-up, the storage cost of both the sender and the group 
members is 0(ri), where n is the number of group members participating in the 
set-up stage. However, the online complexity (which dominates the practicality of 
a CBE scheme) is very low. Indeed, at the sender’s side, the encryption needs only 
0(1) exponentiations and generates 0(l)-size ciphertexts; and at the receivers’ 
side, the decryption requires only 0(1) exponentiations and 0(1) bilinear map 
operations. We also illustrate a trade-off between the set-up complexity and 
the online performance. After the trade-off, the variant has 0(n 2 / 3 ) complexity 
in communication, computation and storage. This is comparable to up-to-date 
regular BE schemes which have 0(n 1 / 2 ) complexity in the same performance 
metrics, but our scheme does not require a trusted key dealer. As a versatile 
GKA scheme, our CBE does not require additional rounds to enable a new 
sender to broadcast to the group members or to let a sender revoke any subset 
of group members. These features are desirable for applications in which the 
sender and the group members may change frequently. 

1.2 Related Work 

Considerable efforts have been devoted to protect group communications. Among 
them, the most prominent notions are key agreement and broadcast encryption. 
Since the inception of the Diffie-Hellman protocol M in 1976, a number of pro- 
posals have addressed key agreement protocols for multiple parties. The schemes 
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due to Ingemarsson et al. j2Dj and Steiner et al. m are designed for n parties 
and require 0(n) rounds. Tree key structures have been further proposed and 
reduced the number of rounds to O(logn) fFMIWFi] . A multi-round GKA pro- 
tocol poses a synchronism requirement on group members and it needs all group 
members to simultaneously stay online to complete the protocol. Several propos- 
als ( e.g ., p i 1 Him] i have been motivated to optimize round complexity in GKA 
protocols. Burmester and Desmedt m proposed a two-round n-party GKA pro- 
tocol for n parties. The Joux protocol m is one-round and only applicable to 
three parties. The work of Boneh and Silverberg j^| shows that a one-round 
(n+ l)-party GKA protocol can be constructed from n-linear pairings. However, 
it remains unknown whether there exist n-linear pairings for n > 2. 

Dynamic GKA protocols provide extra mechanisms to cope with member 
changes. Bresson et al. 0E3| extended the protocol in m to dynamic GKA 
protocols which allow members to leave and join the group. The number of 
rounds in set-up/ join algorithms of their protocols [flUi 0| is linear with the 
group size, but the number of rounds in the leave algorithm is constant. The 
theoretical analysis j2B| proves that, for any tree-based group key agreement 
scheme, the lower bound of the worst-case cost is 0(log n) rounds for a member to 
join or leave. Without relying on a tree-based structure, Kim et al. m proposed 
a two-round dynamic GKA protocol. Recently, Abdalla et al. [Tj presented a two- 
round dynamic GKA protocol in which only one round is required to cope with 
the change of members if they are in the initial group. Observing that existing 
GKA protocols cannot handle sender changes efficiently, Wu et al. presented the 
notion of asymmetric GKA to support sender changes and their instantiated 
protocol allows anyone to securely broadcast to the group members. 

BE is another well-established cryptographic primitive developed for secure 
group communications. BE schemes in the literature can be classified into two 
categories, be., symmetric-key BE and public-key BE. In the symmetric- key 
setting, only the trusted center generates all the secret keys and broadcasts 
messages to users. Hence, only the key generation center can be the broadcaster 
or the sender. Fiat and Naor m first formalized broadcast encryption in the 
symmetric-key setting and proposed a systematic BE method. Similarly to the 
GKA setting, tree-based key structures were subsequently proposed to improve 
efficiency in symmetric-key BE systems jTHirTTl . The state of the art along this 
research line is presented in m 

Public-key BE schemes are more flexible in practice. In this setting, in addition 
to the secret keys for each user, the trusted center also generates a public key 
for all the users so that any one can play the role of a broadcaster or sender. 
Naor and Pinkas presented in the first public-key BE scheme in which up 
to a threshold of users can be revoked. If more than this threshold of users 
are revoked, the scheme will be insecure and hence not fully collusion-resistant. 
Subsequently, by exploiting newly developed bilinear pairing technologies, a fully 
collusion-resistant public-key BE scheme was presented in j3| which has 0(y/n) 
complexity in key size, ciphertext size and computation cost. A recent scheme j20| 
slightly reduces the size of the key and the ciphertexts, although it still has sub- 
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linear complexity. The schemes presented in pEIElEJ strengthen the security 
concept of public-key BE schemes. However, as to performance, the sub-linear 
barrier 0(y/n) has not yet been broken. 

Although both GKA and BE are used to secure group communications, they 
have very different features as they were initially developed for different types of 
group-oriented applications. First, GKA can be applied to ad hoc groups where 
there is no fully trusted party while BE is usually deployed to secure group 
communications where a fully trusted third party is available. Second, the en- 
cryption key in GKA protocols is usually established by group members in a con- 
tributory way, regardless of conventional symmetric GKAs or newly-introduced 
asymmetric GKAs. On the contrary, the encryption key in BE schemes is usually 
generated by a centralized key server. Third, the secret decryption key in GKA 
protocols is computed by each member with public inputs from other members 
and his/her own private inputs. Contrary to GKA protocols, the decryption key 
of each member in BE schemes is assigned by the dealer, which implies that the 
dealer can read all communications to any subset of the group members and n 
secure unicast channels have to be established before a BE scheme is set up. 
Finally, in a GKA protocol group members need to interact to update their keys 
if the membership changes, which implies that a sender cannot exclude some 
members from reading the ciphertexts. Unlike GKA, BE supports a much more 
flexible revocation mechanism. It allows a sender to choose the intended receivers 
on demand to read the ciphertexts. This revocation mechanism does not require 
cooperation among group members or extra interactions between the dealer and 
the group members. For the newly-emerging applications, the contributory fea- 
ture of GKA protocols is desirable but GKA protocols do not allow a sender 
to exclude receivers from reading specific ciphertexts on demand; the flexible 
revocation mechanism of BE schemes is desirable but BE schemes heavily relies 
on a fully trusted authority that is hard to implement in the motivated sce- 
narios. These observations inspire us to investigate more versatile cryptographic 
primitives to bridge the gap. 


1.3 Paper Organization 

The rest of the paper is organized as follows. In Section |2J we model CBE and 
define its security. In Sectional we present a collusion-resistant regular public-key 
BE scheme with aggregat ability. Efficient CBE schemes are realized in Section 0 
and Section 0 concludes the paper. 

2 Modeling Contributory Broadcast Encryption 

We begin by formalizing the CBE notion bridging the GKA and BE primitives. 
In CBE, a group of members first jointly establish a public encryption key, then 
a sender can freely select which subset of the group members can decrypt the 
ciphertext. Our definition incorporates the up-to-date definitions of GKA 
protocols and BE j3| schemes. Since the negotiated public key is usually employed 
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to transmit session keys, we define a CBE scheme as a key encapsulation mecha- 
nism (KEM). Knowing this public encryption key, anyone can send a session key 
£ to any subset of the initial group members. Only the intended receivers can 
extract 0 Even if all the outsiders including group members not in the intended 
subset collude, they receive no information about £. 


2.1 Syntax 

We first define the algorithms that compose a CBE scheme. Let A € N denote 
the security parameter. Suppose that a group of members {U\ , ■ ■ ■ ,U n } wants to 
jointly establish a CBE system, where n is a positive integer and each member 
Hi is indexed by i for 1 < i < n. We focus on bridging BE and GKA and we 
assume that the communications between members are authenticated, but we 
do not further elaborate on the authentication of the group members. Formally, 
a CBE scheme is a tuple CBE =(ParaGen, CBSetup, CBEncrypt, CBDecrypt) of 
polynomial-time algorithms defined as follows. 

ParaGen(l A ). This algorithm is used to generate global parameters. It takes as 
input a security parameter A and it outputs the system parameters, including 
the group size n. 

CBSetup(Wi(xi), • • • M n {x n )). This interactive algorithm is jointly run by 
members U\, ■ ■ ■ , U n to set up a BE scheme. Each member Ui takes pri- 
vate input Xi (and her/his random coins representing the member’s ran- 
dom inner state information). The communications between members go 
through public but authenticated channels. The algorithm will either abort 
or successfully terminate. If it terminates successfully, each user Ui outputs 
a decryption key dki securely kept by the user and a common group en- 
cryption key gek shared by all group members. The group encryption gek 
is publicly accessible. If the algorithm aborts, it outputs NULL. Here, we 
leave the input system parameters implicitly. We denote this procedure by 
(Ui(dki), ■ ■ ■ ,U n (dk n ); gek) <— CBSetup(Wi(xi), • • • ,U n (x n )). 

CBEncrypt (R, gek). This group encryption algorithm is run by a sender who 
is assumed to know the public group encryption key. The sender may or 
may not be a group member. The algorithm takes as inputs a receiver set 
R C {1, • • • , n} and the public group encryption key gek , and it outputs a 
pair (c, £), where c is the ciphertext and £ is the secret session key in a key 
space K. Then (c, R) is sent to the receivers. 

CBDecrypt(R, j, dkj, c). This decryption algorithm is run by each intended 
receiver. It takes as inputs the receiver set R, an index j € R, the receiver’s 
decryption key dkj, a ciphertext c, and it outputs the secret session key £. 

2.2 Security Definitions 

The correctness of a CBE scheme means that if all members and the sender follow 
the scheme honestly, then the members in the receiver set can always correctly 
decrypt. Formally, the correctness of a CBE scheme is defined as follows. 
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Definition 1 (Correctness). A CBE scheme is correct if for any parameter 
A £ N and any element £ in the session key space, ( li\{dk \ ), • • • ,U n {dk n )\ gek ) 
<— CBSetup(Wi(a:i), • • • ,U n { x n )), and (c,£) <— CBEncrypt(R, gek), it holds that 
CBDecrypt(R, j, dkj,c) = £ for any j 6 R. 

We next define the secrecy of a CBE scheme. In the above, to achieve better 
practicality, a CBE scheme is modeled as a KEM in which a sender sends a 
(short) secret session key to the intended receivers and simultaneously, (long) 
messages can be encrypted using a secure symmetric encryption algorithm with 
the session key. Hence, we define the secrecy of a CBE scheme by the indistin- 
guishability of the encrypted session key from a random element in the session 
key space. Since there exist standard conversions ( e.g ., (El) from secure KEM 
against chosen-plaintext attacks (CPA) to secure encryption against adaptively 
chosen-ciphertext attacks (CCA2), it is sufficient to only define the CPA se- 
crecy of CBE schemes. However, noting that CBE is designed for distributed 
applications where the users are likely to be corrupted, we include full collusion 
resistance into our secrecy definition. 

The fully collusion-resistant secrecy of a CBE scheme is defined by the fol- 
lowing secrecy game between a challenger CH and an attacker A. The secrecy 
game is defined as follows. 

Initial. The challenger CH runs ParaGen with a security parameter A and ob- 
tains the system parameters. The system parameters are given to the at- 
tacker A. 

Queries. The attacker A can make the following queries to challenger Chi. 
Execute. The attacker A uses the identities of n members U \ , • • • , U n to 
query the challenger Chi. The challenger runs CBSetup(£ft(a;i), • • • , 
H n (x n )) on behalf of the n members, and responds with the group en- 
cryption key gek and the transcripts of CBSetup to the attacker A. 
Corrupt. The attacker A sends i to the Corrupt oracle maintained by the 
challenger Chi, where i 6 {1, • • • , n}. The challenger CH returns the pri- 
vate input and inner random coins of Hi during the execution of CBSetup. 
Reveal. The attacker A sends i to the Reveal oracle maintained by the 
challenger CH, where i G (1, • • • , n}. The challenger CH responds with 
dki, which is the decryption key of Hi after execution of CBSetup. 
Challenge. At any point, the attacker A can choose a target set R* C {1, • • • , n} 
to attack, with a constraint that the indices in R* have never been queried 
to the Corrupt oracle or the Reveal oracle. Receiving R*, the challenger CH 
randomly selects p G {0,1} and responds with a challenge ciphertext c*, 
where c* is obtained from (c*, £) •*— CBEncrypt(R, gek) if p = 1, else if p = 0, 
c* is randomly sampled from the image space of CBEncrypt. 

Output. Finally, A outputs a bit p' , its guess of p. The adversary wins if p' = p. 

We define M’s advantage Adv S Qg^ c ^~ fc in winning the above fully collusion- 
resistant secrecy game as 

A dvcBB C X fe = I Pr Ip = ~ V 2 I- 
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Definition 2. An n-party CBE scheme has adaptive (r,n,e)- secrecy against a 
full- collusion attack if there is no adversary A which runs in time at most r and 
has advantage Adv^^ c ^~^ c at least e in the above secrecy game. An n-party 
CBE scheme has semi-adaptive (r,n,e) -secrecy against a full- collusion attack if, 
for any attacker A! running in time t, A! ’s advantage Adv s c ibe C jv* C ^ ess than 
e in the above secrecy game, with extra constraints that A! (1) must commit 
to a set of indices M C {1, • • • ,n} before the Queries stage, (2) can only query 
Corrupt and Reveal with i £ M and (3) can only choose 1* C 1 to query CH in 
the Challenge stage. 

The above definition captures the full collusion resistance since the attacker is 
allowed to access the Corrupt and Reveal oracles. The Corrupt oracle is used 
to model an attacker who compromises some members during the set-up stage 
to establish the group encryption key. The Corrupt oracle is used to capture 
the decryption key leakage after the CBE system has been established. This 
difference can be used to differentiate the secrecy against attacks during the 
set-up stage from the secrecy against attacks after a CBE system is deployed. 

2.3 Remarks on Complexity Bounds of CBE and BE Schemes 

Before concrete CBE schemes are constructed, it is meaningful to examine the 
complexity bound of a CBE scheme for the purpose of guiding the design of 
CBE schemes. 

A CBE scheme consists of an offline stage (consisting of ParaGen and CBSetup) 
to establish the group encryption key and an online stage enabling a sender to 
securely encrypt to intended receivers. Since CBE allows to revoke members, 
the members do not need to reassemble for a new run of the CBSetup procedure 
until some new members join. This implies that the practicality of a CBE scheme 
critically depends on the overheads of the CBEncrypt and CBDecrypt procedures 
for online encryption of session keys and decryption of ciphertexts. Hence, special 
efforts should be devoted to improve this online performance. 

It is easy to see that there exists a trivial construction of CBE schemes. A 
group of n members independently generate public/secret key pairs in a standard 
public-key cryptosystem. The public group encryption key is a concatenation of 
each member’s public key, and each member’s decryption key is his/her secret 
key. To broadcast to a subset of the members, a sender first encrypts the session 
key using each member’s public key and obtains the CBE ciphertext by concate- 
nating the generated n ciphertexts in the underlying public-key cryptosytems. 
This trivial CBE has htpke online encryption cost, ntWc-size ciphertext, where 
£pkc is the binary length of the ciphertext in the standard public-key cryptosys- 
tem, and Tpke is the time to perform a standard public-key encryption operation. 
Hence, the upper bound of online complexity of a CBE scheme is O(n). 

We next analyze whether there exist CBE schemes with online complexity less 
than 0(n). From the definition of CBEncrypt, a sender has to read the indices in 
1C (1, • • - , n} and perform some operations involving each index. This implies 
that the CBEncrypt procedure has a cost |M|t C ed, where |R| = n in the worst 
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case and t C eo is the time to perform a basic cryptographic encryption operation 
involving each index. Also, the sender needs to send (c, K) to the receivers. This 
requires £ c + n bits, where l c is the binary size of the CBE ciphertext. The 
analysis shows that the lower bound of the online complexity of a CBE scheme 
is also 0(n). 

From the above analysis, it would seem that no better than a trivial CBE 
can be done. However, a closer look shows this is not the case. First, a well- 
designed CBE can be more efficient than a trivial CBE if r CE a t PK e and the 
performance difference can be further amplified by the factor n. Second, £ PK c is 
usually hundreds to thousands, thus a trivial CBE may consume hundreds to 
thousands times more bits than an elegantly-developed CBE if i c is independent 
of the group size n. Hence, the efforts to achieve non-trivial CBE schemes are 
meaningful in practice. 

To highlight this point, we further look at regular public-key BE schemes. 
The definitions of encryption and decryption in our CBE are exactly the same as 
those of standard public- key BE schemes j3|. Hence, the above online complexity 
bounds also apply to regular BE systems. Furthermore, by slightly modifying the 
above trivial CBE, one can also obtain a trivial public-key BE scheme. To strictly 
follow the public-key BE definition, one just needs to let a trusted key dealer 
generate the public/secret key pairs for all members. The rest is the same as the 
trivial CBE. This implies that a trivial public- key BE scheme has exactly the 
same asymptotical complexity as the trivial one. However, as discussed above, it 
is still meaningful to construct non-trivial public-key BE schemes. Indeed, this 
work has attracted a lot of attention and numerous efforts ( e.g ., piBllfilEfill[T7l|') 
have been devoted to reduce the £ c size and the r CE a complexity. We do a parallel 
work in the CBE setting. 


3 An Aggregatable BE Scheme 

Previously, aggregatability was mainly considered in the signature setting 0 
and exploited to reduce the signature verification time and the storage overhead 
when numerous signatures need to be verified and stored. In Wu et al. 
first presented the ASBB notion and considered aggregatability in the static BE 
setting. In this section, we integrate aggregatability into dynamic BE schemes 
and instantiate an aggregatable BE (ABE) scheme. 

3.1 Review of Aggregatable Signature-Based Broadcast 

Our ABE scheme is based on the ASBB primitive m An ASBB scheme con- 
sists of the algorithms ParaGen, KeyGen, Sign, Verify, Encrypt and Decrypt. 
ParaGen takes as input a security parameter A and outputs the public parame- 
ters 7 r. KeyGen takes input 7r and outputs a public/secret key pair (pk, sk). Sign 
takes as input the key pair {pk, sk) and a string s, and outputs a signature cr(s). 
Verify takes as input the public key pk and the signature a(s) of the string s, 
and outputs 0 or 1. Encrypt takes as input a public key pk and a plaintext to, 
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and outputs a ciphertext c. Decrypt takes as input the public key pk, a valid 
string-signature (s,cr(s)) and a ciphertext c, and outputs the plaintext m. 

An ASBB scheme has a key-homomorphic property. This property states that, 
for any two public/secret key pairs (pki . ski ) and (pfe, sk^) generated by run- 
ning KeyGen(ir), two signatures o\ = Sign(pki,ski,s), 02 = Sign(pk 2 , sfc 2 , s) 
on any message string s with respect to the two public keys, it holds that 
Verify(pki © pfc 2 , s, a\ © 02 ) = 1, where © : T x T — ► T and © : Q x J? — > 
f2 are two efficient operations in the public key space r and the signature 
space f?, respectively. Clearly, from the key-homomorphic property, we have that 
Decrypt(pk\ © pfe , s , oy © 02 , e) = m for any plaintext m and the corresponding 
ciphertext c = Encrypt(jpk\ © pk 2 , m). 

Furthermore, an ASBB scheme has an interesting property referred to as 
aggregat ability. Assume that an adversary A knows (n,pki : ■ ■ ■ , pk n ), where n is 
the system parameters, and pki , • • • , pk n are n different public keys generated by 
independently invoking KeyGen of the ASBB scheme. For n public binary strings 
si,-- - , s n G {0,1}*, the adversary A is provided with valid signatures 0 ,;(s,) 
under pki for 1 < i,j < n and i 7 ^ j. Due to the key- homomorphic property, 
pk = pki © • ■ ■ © pk n forms the public key of the aggregated ASBB instance. 
Aggregatability states that the new ASBB instance related to the aggregated 
public key pk is secure against any polynomial-time adversary A. Wu et al.’s 
ASBB scheme |22| is briefly reviewed next. 

- ParaGen( 7 r). Let PairGenbe an algorithm that, on input a security param- 
eter 1 A , outputs a tuple T = (p,Q,Gr,e), where G and Gt have the same 
prime order p, and e : G x G — > Gt is an efficient non-degenerate bilinear 
map such that e(g, g) ^ 1 for any generator g of G, and for all u, v G Z, it 
holds that e(g u ,g v ) = e(g,g) uv . Let T = (p, G,Gx,e) <— PairGen(l A ), and g 
be a generator of G, and H : {0, 1}* — > G be a cryptographic hash function. 
The system parameters are n = (T, g, H). 

- KeyGen(7r). Select at random r G Z*,X G G\{1}. Compute R = g~ r ,A = 
e(X,g). Output a public key pk = ( R,A ) and its associating secret key 
sk=(r,X). 

- Sign(pfc, sk, s). Take as inputs public key pk = (R, A), secret key sk = (r, X) 
and a string s G {0, 1}*, and output a signature a = XH(s) r on s. 

- Verify (pk, s, a). Take as inputs public key pk = (R, A), a message-signature 
pair (s, 0 -), and output 1 if e(o\ g)e(H(s), R) = A holds; else output 0. 

- Encryption(pfc,£). Given public key pk = (R,A), for a plaintext £ G Gt, 
randomly select t G Z* and compute c\ = g t ,C 2 = R* , 0,3 = £A*. Output 
c= (ci,c 2 ,c 3 ). 

- Decryption(jpfc, s, a, c). Given public key pk = ( R,A ) and ciphertext c = 
(ci,C 2 ,c 3 ), anyone with a valid message-signature pair ( s,a ) can extract 

In the ASBB scheme, every signature under the public key can be used as a 
decryption key to decrypt ciphertexts generated with the same public key. This 
feature allows ASBB to be used as static broadcast schemes. 
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3.2 An Aggregatable BE Scheme Based on ASBB 

We construct a BE scheme from the the ASBB scheme and show the resulting 
BE scheme preserves aggregatability as that of the underlying ASBB scheme. 
The construction is conceptually simple. Assume that the j- th user holds de- 
cryption key^ corresponding to the indices {0. .... n} \ {j}. An encrypter knows 
which public key he should use. For instance, if the encrypter doesn’t want to 
revoke anybody, he encrypts using pko ■ If he wants to exclude i from decrypting, 
he encrypts using pki . If he wants to exclude i and j from decrypting, he en- 
crypts by using an aggregated public key pki 0 pk } . In the same way, more users 
can be excluded from decrypting. With the parameters in the above setting, the 
proposal is realized as follows. 

- BSetup(n, N): The dealer randomly chooses X. h £ G , r* £ Z* and com- 
putes Ri = g~ ri ,Ai = e(Xi,g). The BE public key is PK = ((Ro, A 0 ), ■ ■ ■ , 
(R n , A n )) and the BE secret key is sk = ((ro, X 0 ), ■ • • , (r„, X„)). 

- BKeyGen(j, SK): For j = 1 , ,n, the private key of the user j is dj = 

(° 0 ,j, ' ' ' > 07 1.0 T/'-f 1 .j * ' ' ' , &n,j) • &i,j = X t H(ID.j) r ' . 

- BEncryption(R, PK): Set R = {0, 1, • • • , n} \ R. Randomly pick t in Z p and 
compute c = ( 01 , 02 ) : c\ = g t ,C 2 = (n,ci Ri)* ■ Set the session key £ = 
(EUs^)*- Output (c,0 and send (R, c) to receivers. 

- B Decryption (R, j, dj, c, PK): If j £ R, the receiver j extracts £ from c with 
private key dj by computing eCTUl * i , j , c i) e (H(ID j ),c 2 )=C 

The correctness of the BE scheme above follows from direct verification of the 
following equations 

e(Uim^P^)e(H(IDj),c 2 ) = e(n ieS ^H(I^) ri ,5 t )e(H(I^), rUl<T rit ) 

= e(n ie i^,^ = (n i6 i^) t = e 

The security of our BE scheme relies on the decision n-BDHE assumption 
which was shown to be sound by Boneh et al. |2j in the generic group model. 

Definition 3 (Decision n-BDHE Assumption). Let G be a bilinear group 
of prime order p as defined above, g a generator of G, and h = g t for some 
unknown t £ Z p . Denote y g , a , n = {gir" ,dn,gn+ 2 , ■ ■ • , g 2n ) G G 2n_1 , where 
gi = g a ' for some unknown a £ Z p . We say that an algorithm B that out- 
puts b £ {0,1} has advantage e in solving the decision n-BDHE assumption if 
|Pr[Z?(< 7 , h, if g t0ljn ,e(g n+ i,h)) = 0] — Pv[B(g, h, ~y g , a ,n, Z) = 0)]| > e, where the 
probability is over the random choice of g in G, the random choice t,a £ Z p , 
the random choice of Z £ Gt, and the random bits consumed by B. We say that 
the decision ( r,e,n)-BDHE assumption holds in G if no r-time algorithm has 
advantage at least e in solving the decision n-BDHE assumption. 

According to the BE security definition in era, our scheme is fully collusion- 
resistant under the Decision BDHE assumption. The proof is given in the full 

2 Here, user j’s i-th decryption key corresponding to index i £ {0, ...,n} \ {j} is a 
signature Oij = Oi(IDj) on user j’s identity ID, verifiable under the public key pki. 
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version of the paper m- One can further apply the generic Gentry- Waters trans- 
formation H2 to convert our semi-adaptive BE schemes into an adaptively secure 
one. The cost is to double the size of the public keys and the ciphertexts. 

Theorem 1. The proposed BE scheme for dynamic groups has fall collusion 
resistance against semi-adaptive attacks in the random oracle model if the deci- 
sion n-BDHE assumption holds. More formally, if there exists a semi-adaptive 
attacker A breaking our scheme with advantage e in time t, then there exists 
an algorithm B breaking the n-BDHE assumption with advantage e in time 
t' = t + 0 ((qH + n 2 )r Exp ), where qn is the number of queries to the random 
oracle from A, and t Ex v is the time to compute an exponentiation in G or Gt- 

One may observe that, in the above BE scheme, if we replace H(IDj) with 
a random element hj in G, we obtain a semi-adaptive BE scheme with short 
ciphertexts in the standard model. In this case, to simulate hj in the security 
proof, we just need to set hj = g° 3 g Vj for a randomly chosen value Vj £ Z p , 
where g n ‘ is obtained from the decision n-BDHE assumption. 

3.3 Useful Properties 

Our BE scheme inherits the key-homomorphic property of the underlying ASBB 
scheme. Consider the system parameters defined above. Let PK i = (Boa , ^-0,1); 
••• , {R n ,i, Ai,i)) and PK 2 = ((Bo, 2, ^0,2), • • • , (Bn, 2, Ai.z)) be the respective 
public keys of two random instances of the above BE scheme, and for j = 
l,--- , n, let dj t i = (ao,j,i,--- >&j-i,j,it&j+i,j,U' " € G" and dj$ = 

(crp,j,2> • • • , 0j-x,j,2, &j+ ij,2, • • • i &n,j, 2) € G" be the respective decryption keys 
corresponding to index j under PK'i and PK 2 . Define PK = PKi © PK 2 = 
((Bo,iBo,2, -do,i-do,2), • • • , (Bn t iBn^, A nt iA n ^)) and define dkj = dj t i □ dj } 2 = 
(obj.iuo,^! • • ■ ,&j-i,j,i< 7 j-i,j, 2 ,o'j+i,j,io'j+i,j, 2 , - ' ' Then PK is 

the public key of a new instance of the above BE scheme and dkj is the new 
decryption key corresponding to the index j. This fact can be directly verified. 

Our BE scheme also preserves the aggregatability of the underlying ASBB 
scheme. Roughly speaking, a BE scheme is aggregatable if n instances of the 
BE scheme can be aggregated into a new BE instance secure against an at- 
tacker accessing some decryption keys of each instance, provided that the i- th 
decryption key corresponding to the i-tli instance is unknown to the attacker for 
i = 1, • • • , n. More formally, this property can be defined as follows. 

Definition 4 (Aggregatability). Consider the following game between an ad- 
versary A and a challenger Chi: 

- Setup: A initializes the game with an integer n. Chi replies with (n, PK \ , ■ • • , 
PK n ) which are the system parameters and the n independent public keys of 
the BE scheme. 

- Corruption: For 1 < i,j < n, where i ^ j, the adversary A is allowed to 
know the decryption keys dkj j corresponding to index j with respect to the 
public key PKi. 
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- Challenge: CH and A run a standard Ind-CPA game under the aggregated 
public key PK = PKj © • • • © PK n . A wins if A outputs a correct guess bit. 
Denote A’s advantage by Adv a = | Pr[icm] — ||. 

A BE scheme is said to be ( r,s,n) -aggregatable if no r-time algorithm A has 
advantage Adv a > £ in the above aggregatability game. 

Theorem 2. If there exists an attacker A who wins the aggregatability game 
with advantage e in time t, then there exists an algorithm B breaking the n- 
BDHE assumption with advantage e in time r' = r + 0((n 3 )T Ex p). 

For the proof of the previous theorem, we refer to Theorem E3 where we prove 
a stronger property in the sense that the attacker is additionally allowed to 
know the internal randomness used to compute dkj t i corresponding some PKi 
for 1 < i, j < n where i ^ j. 

4 Proposed CBE Scheme 

In this section, we propose a CBE based on the above aggregatable BE scheme. 
The basic construction has short ciphertexts and long protocol transcripts. Then 
we show an efficient trade-off between ciphertexts and protocol transcripts. 

4.1 High-Level Description 

Our basic idea is to introduce the revocation mechanism of a regular BE scheme 
into the asymmetric GKA scheme 132.- To this end, each member acts as the 
dealer of the aggregatable BE scheme above. The k- th user publishes PK j. and 
dj t k, where dj t t- is the decryption key of PK]. corresponding to the index j G 
{1, • • • , n} \ {/c}. Then the negotiated public key is PK = PK 0 © ■ • ■ © PK n . 
Each member j can compute the decryption key dkj = dkjj BJLj dkj t k- 
Observe that dkjj has never been published. Due to the key homomorphism 
of the BE scheme above, dkj is a valid decryption key corresponding to PK. 
Hence, anyone knowing PK can encrypt to any subset of the members and the 
intended receivers can decrypt. 

To guarantee the security of the resulting CBE scheme, we also need to show 
that only the intended receivers can decrypt. This is ensured by the fact that the 
underlying BE scheme is aggregatable. Indeed, although the Gentry- Waters BE 
scheme m is key- homomorphic, an analog of our CBE scheme using the Gentry- 
Waters BE scheme as a building block is shown to be insecure in m , because 
the Gentry- Waters BE scheme is not aggregatable. We note that a static PKBE 
scheme without a dealer can be trivially obtained from the ASGKA protocol 
in EX This is realized by letting each member to register his/her published 
string as her public key. Then anyone knowing the public keys of all members 
can send encrypted messages to the group and only the group members can 
decrypt the message. However, no revocation mechanism is provided. To exclude 
some members, one may be motivated to modify the above trivial construction 
by using the aggregation of the public keys of the intended receivers as the 
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sub-group public key. Clearly, this will allow the intended receivers to decrypt 
ciphertexts generated with this sub-group public key. Unfortunately, anyone (not 
necessary to be a revoked member) knowing the receivers’ public keys can also 
decrypt, as shown in [J3j. 


4.2 The Proposal 

Based on our aggregatable BE scheme, we implement a CBE scheme with short 
ciphertexts. Assume that the group size is at most n. Let T = (p. G, G t, e) <— 
PairGen(l A ), and g,h \ , ••• , h n be independent generators of G. The system 
parameters are ir = {X,n,T,g, hi, ■ ■ ■ , h„). 


- Setup. The set-up of a CBE system consists of the following three proce- 
dures: 

• Group Key Agreement Execution: For 1 < k < n, member k does the 
following: 

Randomly choose X i:k £ G, n tk € Z*; 

Compute Ri,k = g~ ri - k ,Ai,k = e{X^k,g)', 

Set PK k = {(Ro, k , Ao t k),- ■ ■ , {R n ,k, A n , fe )); 

For 1 < j < n, j ^ k, compute (Xi,j,h = x i, k h^'’ k for 0 < i < n, i ^ j] 

Set dj h = (uojjfc, • ■ • , cjj—ij'k, (Xj - ' j 

Pubhsh {PKk, di t k, ■ ■ ■ , d k ~ i,fe, d k +i,k, • ■ • , d n ,fe) and keep dk,k secret. 

• Group Encryption Key Derivation: The group encryption key is PK = 
PK 0 ® ■ ■ ■ ® PK n = ((f? 0 , A 0 ), ■ ■ ■ , {R n , A n )), where R, = nLi Ri,k, 
Ai = nLi Ai,k for i = 0, • ■ • ,n. The group encryption key PK is pub- 
licly computable. 

• Member Decryption Key Derivation: For 0<*<n, l<j<n and i ^ j, 

member j can compute decryption key dj = ( uq j, - ■ ■ , <U+ij> • • ■ , 


a nJ ), where a itj = a iJtj Hk=i,h& = IIjfe=i <nj,k = IILi x i,kh/’ k ■ 
- CBEncrypt. Assume that a sender (not necessarily a group member) wants 


to send to receivers in R C {1, • • • , n} a session key £. Set R = {0, 1, • • • ,n}\ 
R. Randomly pick t in Z p and compute the ciphertext c = (ci,C 2 ) where 
ci = <?*,C 2 = (ri ieS Ri)‘. Output (c, £) where £ = (riigS-^t)*- Send (R, c) to 


the receivers. 

- CBDecrypt. If j £ R, receiver j can extract £ from the ciphertext c with 


decryption key dj by computing &i,j, ci)e(hj, C 2 ) = C 


The correctness of the proposed CBE scheme is correct directly follows from 
the fact that the underlying BE scheme is correct and key-homomorphic. As to 
security, we have the following theorem, whose proof is given in 1221 - 


Theorem 3. The proposed CBE scheme has fully collusion-resistant secrecy 
against semi-adaptive attacks in the standard model if the decision n-BDHE as- 
sumption holds. More formally, if there exists a semi-adaptive attacker A break- 
ing our scheme with advantage e in time r, then there exists an algorithm B 
breaking the n-BDHE assumption with advantage e in time t' = T-t-O^n 3 )-^^). 


Bridging Broadcast Encryption and Group Key Agreement 157 


4.3 Discussion 

We first examine the online complexity our scheme which is critical for the 
practicality of a CBE scheme. We use the widely-adopted metrics lUEDElEsidZI 
for regular BE schemes. After the CBSetup procedure, a sender needs to retrieve 
and store the group public key PK consisting of n elements in G and n elements 
in G t- This requires about 150n bytes to achieve the security level of an RSA- 
1024 cryptosystem. Note that in the motivated applications, the group size is 
usually not very large. Consider an initial group of 100 users. The group public 
key is about 15 K bytes long and acceptable in practice. Moreover, for encryption, 
the sender needs only two exponentiations and the ciphertext merely contains 
two elements in G. This is about n times more efficient than the trivial solution. 
At the receiver’s side, in addition to the description of the bilinear pair which 
may be shared by many other security applications, a receiver needs to store n 
elements in G for decryption. The storage cost of a receiver is about 22n bytes. 
For decryption, a receiver needs to compute two single-base bilinear pairings (or 
one two-base bilinear pairing). The online costs on the sides of both the sender 
and the receivers are really low. 

We next discuss the complexity of the CBSetup procedure to set up a CBE sys- 
tem. The overhead incurred by this procedure is 0(n 2 ). However, in most cases, 
this procedure needs to be run only once and this can be done offline before 
online transmission of secret session keys. For instance, in the social networks 
example, a number of friends exchange their CBSetup transcripts and establish a 
CBE system to secure their subsequent sharing of private picture/videos. Since 
CBE allows revoking members, the members do not need to reassemble for a 
new rim of the CBSetup procedure until some new friends join. From our per- 
sonal experience, the group lifetime usually lasts from weeks to months. These 
observations imply that our protocol is practical in the real world. 

Furthermore, if the initial group is too large, an efficient trade-off can be 
employed 0 to balance the online and offline costs. Suppose that n is a cube, 
i.e., n = n\, and the initial group has n members. We divide the full group 
into n\ subgroups, each of which has n\ members. By applying our basic CBE 
to each subgroup, we obtain a CBE scheme with 0(n 2 )-size transcripts per 
member during the offline stage of group key establishment; a sender needs to 
do O(n'f) encryption operations of the basic CBE scheme, which produces O(nf)- 
size ciphertexts. Consequently, we obtain a CBE scheme with 0(n s) complexity. 
This is comparable to up-to-date public-key BE systems whose complexity is 
0(n 3 ). For a group of 1000 users, our dealer-free BE scheme is about 10 times 
more efficient than the trivial solution. It is about 3 times less efficient than a 
public-key BE scheme, but our CBE does not require a trusted key dealer. The 
cost of versatileness is acceptable. 

One may notice a subtlety in the above trade-off. When the basic CBE scheme 
is applied to each subgroup, members in each subgroup will extract the same 
session key, but members in different subgroups will have different session keys. 
This is inconsistent with the CBE definition in which all members should extract 
the same session key, even if the members are in different subgroups. This can 
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be trivially addressed as follows. The sender additionally selects a string from 
the session key space and encrypts it for each subgroup with the session keys 
shared by each subgroup. Then all members can extract the same resulting 
session key. This introduces an additional O(na)- size ciphertext if there are 
O(ns) subgroups, but it does not affect the asymptotical complexity of the 
scheme after a trade-off. 

Finally, we assume that the communication channels between members are 
authenticated during the CBSetup stage to establish the group encryption key. 
In practice, these authenticated channels can be the pre-existing ones between 
members ( e.g ., in instant-messaging system and cooperative scientific compu- 
tation) or be established by personal interaction (e.g., some ad hoc network 
applications). This is plausible since CBE is usually deployed for cooperative 
members who may be friends. Note that the CBSetup sub-protocol requires only 
one round. An alternative option to achieve authentication is to let a partially 
trusted third party certify each member’s protocol transcript. The third party 
plays a role similar to a certification authority in the popular PKI setting, and 
cannot read the plaintexts encrypted to the members. This is different from regu- 
lar BE systems where the fully trusted dealer can decrypt all communications to 
the members. For instance, in a social network application, the service provider 
can serve as the partially trusted third party. This is also plausible since this 
kind of applications usually require users to register for service. In this case, the 
CBSetup transcript of each member can be viewed as her public key. 

5 Conclusions 

In this paper, we formalized the CBE primitive, which bridges the GKA and BE 
notions. In CBE, anyone can send secret messages to any subset of the group 
members, and the system does not require a trusted key server. Neither the 
change of the sender nor the dynamic choice of the intended receivers require 
extra rounds to negotiate group encryption/decryption keys. Following the CBE 
model, we instantiated an efficient CBE scheme that is secure in the standard 
model. As a versatile cryptographic primitive, our novel CBE notion opens a 
new avenue to establish secure broadcast channels and can be expected to secure 
numerous emerging distributed computation applications. 
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Abstract. We revisit the topic of joint security for combined public key 
schemes, wherein a single keypair is used for both encryption and sig- 
nature primitives in a secure manner. While breaking the principle of 
key separation, such schemes have attractive properties and are some- 
times used in practice. We give a general construction for a combined 
public key scheme having joint security that uses IBE as a component 
and that works in the standard model. We provide a more efficient direct 
construction, also in the standard model. 


1 Introduction 

Key separation versus key reuse: The folklore principle of key separation dic- 
tates using different keys for different cryptographic operations. While this is 
well-motivated by real-world, security engineering concerns, there are still situ- 
ations where it is desirable to use the same key for multiple operations [13 . In 
the context of public key cryptography, using the same keypair for both encryp- 
tion and signature primitives can reduce storage requirements (for certificates 
as well as keys), reduce the cost of key certification and the time taken to ver- 
ify certificates, and reduce the footprint of cryptographic code. These savings 
may be critical in embedded systems and low-end smart card applications. As 
a prime example, the globally-deployed EMV standard for authenticating credit 
and debit card transactions allows the same keypair to be reused for encryption 
and signatures for precisely these reasons HI] ■ 

However, this approach of reusing keys is not without its problems. For exam- 
ple, there is the issue that encryption and signature keypairs may have different 
lifetimes, or that the private keys may require different levels of protection [13 . 
Most importantly of all, there is the question of whether it is secure to use the 
same keypair in two (or more) different primitives - perhaps the two uses will 
interact with one another badly, in such a way as to undermine the security of 
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one or both of the primitives. In the case of textbook RSA, it is obvious that 
using the same keypair for decryption and signing is dangerous, since the signing 
and decryption functions are so closely related in this case. Security issues may 
still arise even if some standardized padding is used prior to encryption and 
signing j20j . In Section 0 we will provide another example in the context of en- 
cryption and signature primitives, where the individual components are secure 
(according to the usual notions of security for encryption and signature) but 
become completely insecure as soon as they are used in combination with one 
another. At the protocol level, Kelsey, Schneier and Wagner m gave examples 
of protocols that are individually secure, but that interact badly when a keypair 
is shared between them. 

The formal study of the security of key reuse was initiated by Haber and 
Pinkas IE! They introduced the concept of a combined public key scheme. Here, 
an encryption scheme and signature scheme are combined: the existing algo- 
rithms to encrypt, decrypt, sign and verify are preserved, but the two key gen- 
eration algorithms are modified to produce a single algorithm. This algorithm 
outputs two keypairs, one for the encryption scheme and one for the signature 
scheme, with the keypairs no longer necessarily being independent. Indeed, under 
certain conditions, the two keypairs may be identical, in which case the savings 
described above may be realised. In other cases, the keypairs are not identi- 
cal but can have some shared components, leading to more modest savings. 
Haber and Pinkas also introduced the natural security model for combined pub- 
lic key schemes, where the adversary against the encryption part of the scheme 
is equipped with a signature oracle in addition to the usual decryption oracle, 
and where the adversary against the signature part of the scheme is given a 
decryption oracle in addition to the usual signature oracle. In this setting, we 
talk about the joint security of the combined scheme. 

Setting a benchmark: As we shall see in Section El there is a trivial “Cartesian 
product” construction for a combined public key scheme with joint security. The 
construction uses arbitrary encryption and signature schemes as components, 
and the combined scheme’s keypair is just a pair of vectors whose components are 
the public/private keys of the component schemes. Thus the Cartesian product 
construction merely formalises the principle of key separation. This construction, 
while extremely simple, provides a benchmark by which other constructions can 
be judged. For example, if the objective is to minimise the public key size in a 
combined scheme, then any construction should aim to have shorter keys than 
can be obtained by instantiating the Cartesian product construction with the 
best available encryption and signature schemes. 

Re-evaluating Haber-Pinkas: In this respect, we note that, while Haber and 
Pinkas considered various well-known concrete schemes and conditions under 
which their keys could be partially shared, none of their examples having prov- 
able security in the standard model lead to identical keypairs for both signature 
and encryption. Indeed, while the approach of Haber and Pinkas can be made 
to work in the random oracle model by careful oracle programming and domain 
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separation, their approach does not naturally extend to the standard model. 
More specifically, in their approach, to be able to simulate the signing oracle in 
the IND-CCA security game, the public key of the combined scheme cannot be 
exactly the same as the public key of the underlying encryption scheme (oth- 
erwise, successful simulation would lead to a signature forgery). This makes 
it hard to achieve full effective overlap between the public keys for signing 
and encryption. For the (standard model) schemes considered by Haber and 
Pinkas this results in the requirements that part of the public key be specific 
to the encryption scheme and that another part of it be specific to the sig- 
nature scheme. Furthermore, at the time of publication of m only a few se- 
cure (IND-CCA2, resp. EUF-CMA) and efficient standard-model schemes were 
known. Consequently, no “compatible” signature and encryption schemes were 
identified in H5! for the standard model. 

Combined schemes from trapdoor permutations: The special case of combined 
schemes built from trapdoor permutations was considered in [HIIZ3 • Here, both 
sets of authors considered the use of various message padding schemes in con- 
junction with an arbitrary trapdoor permutation to build combined public key 
schemes having joint security. Specifically, Coron et al. jHJ considered the case of 
PSS-R encoding, while Komano and Ohta m considered the cases of OAEP+ 
and REACT encodings. All of the results in these two papers are in the random 
oracle model. In further related, but distinct, work, Dodis et al. m (see also 0) 
considered the use of message padding schemes and trapdoor permutations to 
build signcryption schemes. Dodis et al. showed, again in the random oracle 
model, how to build efficient, secure signcryption schemes in which each user’s 
keypair, specifying a permutation and its trapdoor, is used for both signing and 
encryption purposes. 


1.1 Our Contribution 

We focus on the problem of how to construct combined public key schemes 
which are jointly secure in the standard model, a problem for which, as we have 
explained above, there currently exist no fully satisfactory solutions. Naturally, 
for reasons of practical efficiency, we are interested in minimising the size of 
keys (both public and private), ciphertexts, and signatures in such schemes. The 
complexity of the various algorithms needed to implement the schemes will also 
be an important consideration. 

As a warm-up, in Sectional we give the simple Cartesian product construction, 
as well as a construction showing that the general problem is not vacuous (i.e. 
that there exist insecure combined schemes whose component schemes are secure 
when used in isolation). 

We then present in Section 0] a construction for a combined public key scheme 
using an IBE scheme as a component. The trick here is to use the IBE scheme 
in the Naor transform and the CHK transform simultaneously to create a com- 
bined public key scheme that is jointly secure, under rather weak requirements on 
the starting IBE scheme (specifically, the IBE scheme needs to be OW-ID-CPA 


164 K.G. Paterson et al. 


and IND-sID-CPA secure). This construction extends easily to the (hierarchi- 
cal) identity-based setting. Instantiating this construction using standard model 
secure IBE schemes from the literature already yields rather efficient combined 
schemes. For example, using an asymmetric pairing version of Gentry’s IBE 
scheme d- we can achieve a combined scheme in which, at the 128-bit secu- 
rity level, the public key size is 1536 bits, the signature size is 768 bits and the 
ciphertext size is 2304 bits (plus the size of a signature and a verification key 
for a one-time signature scheme), with joint security being based on a <?-type as- 
sumption. This is already competitive with schemes arising from the Cartesian 
product construction. 

We then provide a more efficient direct construction for a combined scheme 
with joint security in Section El This construction is based on the signature 
scheme of Boneh and Boyen 0 and a KEM obtained by applying the techniques 
by Boyen, Mei and Waters [ZJ to the second IBE scheme of Boneh and Boyen 
in At the 128-bit security level, it enjoys public keys that consist of 1280 
bits, signatures that are 768 bits and a ciphertext overhead of just 512 bits. The 
signatures can be shrunk at the cost of increasing the public key size. 

The ideas of this paper also have applications for signcryption. We show in 
the full version m that a (tag-based) combined public key scheme can be used 
to construct a signcryption scheme, using the “sign-then-encrypt” construction 
of | 23 |, that is secure in the strongest security model for signcryption (achiev- 
ing insider confidentiality and insider unforgeability in the multi-user setting). 
Instantiating this construction with our concrete combined public key scheme 
effectively solves the challenge implicitly laid down by Dodis et al. in (3 , to con- 
struct an efficient standard model signcryption scheme in which a single short 
keypair can securely be used for both sender and receiver functions. Further- 
more, we are able to show that the signcryption scheme we obtain is jointly 
secure when used in combination with both its signature and encryption com- 
ponents. Thus we are able to obtain a triple of functionalities (signcryption, 
signature, encryption) which are jointly secure using only a single keypair. 

1.2 Further Related Work 

Further work on combined public key schemes in the random oracle model, for 
both the normal public key setting and the identity-based setting can be found 
in 123 In particular, it is proved that the identity-based signature scheme of 
Hess E and Boneh and Franklin’s identity-based encryption scheme |S| can be 
used safely together. 

The topic of joint security of combined public key schemes is somewhat linked 
to the topic of cryptographic agility [Tj , which considers security when the same 
key (or key pair) is used simultaneously in multiple instantiations of the same 
cryptographic primitive. This contrasts with joint security, where we are con- 
cerned with security when the same key pair is used simultaneously in instan- 
tiations of different cryptographic primitives. The connections between these 
different but evidently related topics remain to be explored. 
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2 Preliminaries 

In our constructions, we will make use of a number of standard primitives, in- 
cluding digital signatures, (tag-based) public key encryption, identity-based en- 
cryption (IBE), a data encapsulation mechanism (DEM), and an always second- 
preimage resistant hash function. We refer the reader to the full version |2i 
for the standard definitions and security notions for these primitives. In the fol- 
lowing, we briefly recall the properties of bilinear pairings as well as define the 
computational assumptions which we will make use of to prove the security of 
our concrete constructions. 

Bilinear pairings: Let Gi = (gi), G2 = (52), Gt be groups of prime order p. A 
pairing is a map e : Gi x G2 -> Gt that satisfies the following properties: 

1. Bilinear: For all a, b 6 Z, e(<?“, <72) = e(9i,92) ab - 

2. Non-degenerate: e( <71,32) 7^ 1. 

3. Computable: There is an efficient algorithm to compute the map e. 

Note that we work exclusively in the setting of asymmetric pairings, whereas 
schemes are often presented in the naive setting of symmetric pairings e : G x 
G — * Gt- At higher security levels (128 bits and above), asymmetric pairings are 
far more efficient both in terms of computation and in terms of the size of group 
elements [TTfl . As a concrete example, using BN curves [2| and sextic twists, 
we can attain the 128-bit security level with elements of Gi being represented 
by 256 bits and elements of G2 needing 512 bits. By exploiting compression 
techniques m , elements of Gt in this case can be represented using 1024 bits. 
For further details on parameter selection for pairings, see jT2| . 

Strong Diffie-Hellman (SDH) assumption Let Gi and G2 be two cyclic 
groups of prime order p, respectively generated by 31 and 32. In the bilinear 
group pair (Gi,G 2), the 3-SDH problem is stated as follows: 

Given as input a (3 + 3)-tuple of elements 
(3i>fi , i>fl2)32)fl , 2 X \ • • • i92 X ^ e x ®2 +1 

output a pair ^c, gl^ x+c> ^ 6 Z p X G2 for a freely chosen value c € Z p \{— x}. 

An algorithm A solves the 3-SDH problem in the bilinear group pair (Gi,G 2) 
with advantage e if 

Pr [A (31, 3^,32, 32. \---, 92 Xg) ) = (e>02 /( * +c) )] > e, 

where the probability is over the random choice of generators 31 G Gi and 
32 € G2, the random choice of x € Z*, and the random bits consumed by A. We 
say that the (t, 3, e)-SDH assumption holds in (Gi,G 2) if no t-tirne algorithm 
has advantage at least e in solving the 3-SDH problem in (Gi,G2). 
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Decisional Bilinear Diffie-Hellman Inversion (DBDHI) assumption Let Gi 
and G 2 be two cyclic groups of prime order p, respectively generated by g-\ and 
< 72 ■ In the bilinear group pair (Gi, G 2 ), the g-DBDHI problem is stated as follows: 

Given as input a (q + 4)-tuple of elements 

(j)ugf , 32)51 ) 92 G Gf x G 2" 1 " 1 x Gt 

output 0 if T = e(gi,gi) 1 ^ x or 1 if T is a random element in Gt- 

An algorithm A solves the (/-DBDHI problem in the bilinear group pair (Gi, G 2 ) 
with advantage e if 

| Pr [A (g u gf , g 2 , 9%, g { f\ - - - , gi*'\e(gi, gi) 1/x ^j = o] 

-Pr \A(g 1 ,gl,g 2 ,g$,g^\...,g { 2 q) , t) = o] | > e, 

where the probability is over the random choice of generators g\ G Gi and 
gi € G 2 , the random choice of x G Z*, the random choice of T G Gt, and 
the random bits consumed by A. We say that the (t, q, e)-DBDHI assumption 
holds in (Gi,G 2 ) if no t-time algorithm has advantage at least e in solving the 
(/-DBDHI problem in (Gi,G 2 ). 

3 Combined Signature and Encryption Schemes 

A combined signature and encryption scheme is a combination of a signature 
scheme and a public key encryption scheme that share a key generation algorithm 
and hence a keypair ( pk,sk ). It comprises a tuple of algorithms (KeyGen, Sign, 
Verify, Encrypt, Decrypt) such that (KeyGen, Sign, Verify) form a signature scheme 
and (KeyGen, Encrypt, Decrypt) form a PKE scheme. Since the signature and 
PKE schemes share a keypair the standard notions of EUF-CMA and IND- 
CCA security need to be extended to reflect an adversary’s ability to request 
both signatures and decryptions under the challenge public key. When defining 
a security game against a component of the scheme the nature of any additional 
oracles depends on the required security of the other components. For example, 
if EUF-CMA security of the signature component of a combined signature and 
encryption scheme is required, then it is necessary to provide the adversary with 
unrestricted access to a signature oracle when proving IND-CCA security of the 
encryption component of the scheme. The security definitions given implicitly 
in j5], considering IND-CCA security of the encryption component and EUF- 
CMA security of the signature component, are stated formally here. 

EUF-CMA security in the presence of a decryption oracle: Let (KeyGen, Sign, 
Verify, Encrypt, Decrypt) be a combined signature and encryption scheme. Ex- 
istential unforgeability of the signature component under an adaptive chosen 
message attack in the presence of an additional decryption oracle is defined 
through the following game between a challenger and an adversary A. 
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Setup: The challenger generates a keypair ( pk,sk ) <— KeyGen(l fc ) and gives A 
the challenge public key pk. 

Query phase: A requests signatures on messages to* of its choice. The chal- 
lenger responds to each signature query with a signature a, <— Sign(sfc, nrii). 
A also requests decryptions of ciphertexts c* of its choice. The challenger 
responds to each decryption query with a message m <— Decrypt(s/c, a) or a 
failure symbol _L. 

Forgery: A outputs a message signature pair (er, to) such that to was not sub- 
mitted to the signing oracle, and wins the game if Verify {jpk, a, to) = 1. 

The advantage of an adversary A is the probability it wins the above game. 

A forger A (t,qd,q s ,e)-breaks the signature component of a combined sig- 
nature and encryption scheme if A runs in time at most t, makes at most 
decryption queries and q s signature queries and has advantage at least e. The 
signature component of a combined signature and encryption scheme is said to 
be (t, qd, q s , e)-EUF-CMA secure in the presence of a decryption oracle if no 
forger (t, qd, q s , e)-breaks it. 

IND-CCA security in the presence of a signing oracle: Let (KeyGen, Sign, Verify, 
Encrypt, Decrypt) be a combined signature and encryption scheme. Indistinguisha- 
bility of the encryption component under an adaptive chosen ciphertext attack 
in the presence of an additional signing oracle is defined through the following 
game between a challenger and an adversary A. 

Setup: The challenger generates a keypair ( pk,sk ) <— Keyen(l fc ) and gives A 
the challenge public key pk. 

Phase 1: A requests decryptions of ciphertexts c, of its choice. The challenger 
responds to each decryption query with a message to <— Decrypted;, cf) or 
a failure symbol _L. A also requests signatures on messages to* of its choice. 
The challenger responds to each signature query with a signature cr, <— 
Sign (sk, TOj). 

Challenge: A chooses two equal length messages mo, mi. The challenger 
chooses a random bit b, computes c* <— Encrypt (pk,mb), and passes c* to 
the adversary. 

Phase 2: As Phase 1 but with the restriction that A must not request the 
decryption of the challenge ciphertext c*. 

Guess: A outputs a guess b' for b. 

The advantage of A is |Pr[6 / = b] — ||. 

An adversary A ( t , q,i , q s , e)-breaks the encryption component of a combined 
signature and encryption scheme if A runs in time at most t, makes at most q ( j 
decryption queries and q s signature queries and has advantage at least e. The 
encryption component of a combined signature and encryption scheme is said to 
be (t, qa, q s , e)-IND-CCA secure in the presence of a signing oracle if no adver- 
sary (t, qd, q s , e)-breaks it. 
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Informally, we say that a combined scheme is jointly secure if it is both EUF- 
CMA secure in the presence of a decryption oracle and IND-CCA secure in the 
presence of a signing oracle. 

3.1 A Cartesian Product Construction 

A trivial way of obtaining a system satisfying the above security properties is to 
concatenate the keys of an encryption scheme and signature scheme, then use 
the appropriate component of the compound key for each operation. This gives a 
combined signature and encryption scheme where the signature and encryption 
operations are essentially independent. Consequently their respective security 
properties are retained in the presence of the additional oracle. This simple con- 
struction sets a benchmark in terms of key size and other performance measures 
that any bespoke construction should best in one or more metrics. 

Formally, let S = (<S. KeyGen, <S. Sign, <S.Verify) be a signature scheme, and 
let £ = (£ .KeyGen, £. Encrypt, £. Decrypt) be an encryption scheme. Then the 
Cartesian product combined signature and encryption scheme CartCSE(£,<S) is 
constructed as follows: 

CartCSE(£,<S).KeyGen(l fc ): Run <S.KeyGen(l fc ) to get ( pk s ,sk s ). Run £. KeyGen 
(l fc ) to get ( pk e , sk e ). Output the public key pk = (pk s ,pk e ) and the private 
key sk = ( sk s , sk e ). 

CartCSE(£,<S).Sign(sfc, rn): Output S.S\gn(sk s ,m). 

CartCSE(£,<S).Verify(pfc, cr, rn): Output S.\/erify(pk s , a, to). 
CartCSE(£,<S).Encrypt(pfc,rn): Output £. Encrypt (pk e ,m). 
CartCSE(£,<S).Decrypt(sfc, c): Output £. Decrypt (sk e ,c). 

We omit the straightforward proof that this scheme is jointly secure if S is 
EUF-CMA secure and £ is IND-CCA secure. 


3.2 An Insecure CSE Scheme whose Components are Secure 

To show that the definitions are not trivially satisfied, we give a pathologi- 
cal example to show that a PKE scheme and a signature scheme that are 
individually secure may not be secure when used in combination. Let S = 
(S. KeyGen, S. Sign, <S.Verify) be an EUF-CMA secure signature scheme, and let 
£ = (£. KeyGen, £. Encrypt, £ .Decrypt) be an IND-CCA secure encryption scheme. 
A combined signature and encryption scheme BadCSE(£,<S) can be constructed 
as follows. 

BadCSE(£, <S). KeyGen (l fc ): Run ,S.KeyGen(l fe ) to get ( pk s ,sk s ). Run £. KeyGen 
(l fc ) to get (pk e , sk e ). Output the public key pk = (pk s .pk e ) and the private 
key sk = ( sk s , sk e ). 

BadCSE(£,<S).Sign(s£;, m): Compute a' = S.S\gn(sk s ,m). Output cr = a'\\sk e . 
BadCSE(£,<S). Verify (p/c, cr, m): Parse a as a'\\sk e . Run <S. Verify (pfc s , a', to) and 
output the result. 
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BadCSE(£ ,<S).Encrypt(pA;, to): Output c = £. Encrypt (pk e ,m). 

BadCSE(£ ,<S).Decrypt(sfc, c): Run £.Decrypt(.sfc e , c). If this decryption is suc- 
cessful, output the decrypted message. Otherwise (if T was returned), output 
sk s . 

From the security of the base schemes it is easy to see that the signa- 
ture scheme given by the algorithms BadCSE(£,£).KeyGen, BadCSE(£,<S).Sign, 
BadCSE(£,<S). Verify is EUF-CMA secure, and the PKE scheme with algo- 
rithms BadCSE(£,5).KeyGen, BadCSE(£, S). Encrypt, BadCSE(£,£). Decrypt is 
IND-CCA secure. However when key generation is shared a single signature 
reveals the PKE scheme’s private key, and the decryption of a badly formed 
ciphertext reveals the private key of the signature scheme. Thus BadCSE(£, S) 
is totally insecure, even though its component schemes are secure. 

4 A Generic Construction from IBE 

We show how to build a combined signature and encryption scheme from an IBE 
scheme X with algorithms X.Setup, X. Extract, X.Encrypt, X. Decrypt. We make use 
of a one time strongly secure signature scheme OT with algorithms OX.KeyGen, 
OT ,S\gn{sk. m), OT. Verify (pk, a, m). The construction is particularly simple: 
the signature scheme component is constructed through the Naor transform 
0 and the PKE scheme component through the CHK transform 0. Since in 
the Naor construction signatures are just private keys from the IBE scheme, 
and these private keys can be used to decrypt ciphertexts in the PKE scheme 
resulting from the CHK transform, we use a bit prefix in the identity space to 
provide domain separation between the signatures and private keys. 

We assume X has message space M, ciphertext space C and identity space 
(0, 1}" +1 , and that OT has public key space (0, 1}". Then the signature scheme 
component of CSE(X) has message space {0, 1}" but can be extended to messages 
of arbitrary length through the use of a collision resistant hash function H : 
{0,1}* — > {0,1}". The PKE component of CSE(X) has message space M. The 
algorithms of CSE(X) are shown in Figure Q In the full version [2E2 we show how 
the construction can be extended to support a tag-based encryption component. 

Theorem 1. Let I be a (t' ,q,e)-OW-ID-CPA secure IBE scheme. Then the 
signature component o/CSE(X) is (t. q d , <? s , e)-EUF-CMA secure in the presence 
of a decryption oracle provided that 

q s + qd < q and t<t' - q d (T v + T d ) - T d , 

where T v is the maximum time for a verification in OT and T d is the maximum 
time for a decryption in X. 

Proof of Theorem Q Suppose there exists a forger T that (t, q d , q s , e) breaks the 
EUF-CMA security of the signature component of CSE(X) in the presence of a 
decryption oracle. We construct an algorithm A that interacts with the forger 
T to (£, q, e)-OW-ID-CPA break the IBE scheme X. 
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CSE(T).KeyGen(l fc ): 

CSE(T).Encrypt(pfe, m): 

( mpk,msk ) <— T.Setup(l fc ) 

(vk,sk') <— OT.KeyGen 

( pk , skmAlmpk, msk) 

ID-l\\vk 

return (pk, sk ) 

CSE(T).Sign(sfc, m): 

d <— T.Encrypt(pfc, ID, m) 
a^OT.S\gn(sk',c') 
return (vk, a, c') 

ID = 0||m 

CSE(T).Decrypt(sfe,c): 

a <— T.Extract(sfe, ID) 

Parse c as (vk, a, c') 

return cr 

if OT. Verify (vfe, cr, c') = 1 
then ID = l||vfc 

skm <— T.Extract(sfc, ID) 

CSE(T).Verify(pfe, a, m): 

return T. Decry ptfpfc, skiD,c') 

ID = 0\\m 
x <—r M 

c <— T.Encrypt(pfc, ID, x) 
if T.Decrypt(pfc,cr, c) = x 
then return 1 

else return 0 

else return T 


Fig. 1. Generic construction from IBE 

Setup: A is given a master public key rrupk which it gives to T as the public 
key. 

Signing queries: In response to a request for a signature on message m, A 
queries its extraction oracle for the identity ID = 0| \m to obtain skiD which 
it returns to T as the signature. 

Decryption queries: In response to a decryption query for a ciphertext c = 
( vk , a, c'j, A verifies that a is a valid signature on d with verification key vk. 
If it is not a valid signature, A returns _L. If the signature is valid, A queries 
its extraction oracle for the identity ID = 1 | \vk to obtain skiD which it uses 
to decrypt d , returning the output of the decryption operation as the result 
of the decryption query. 

Forgery: Eventually T will return a forgery (a* , rn * ) on a message to* for which 
a signing query was not made. At this point A outputs ID* = 0||m* as the 
target identity. This is a valid choice; since a signing query was not made for 
message to* an extraction query was not made for ID = 0||m*. 

Challenge: A receives a ciphertext c*, which is the encryption of a random 
message m for identity ID*. If a* is a valid signature for message to* then 
a* is a valid decryption key for identity ID*. This allows A to decrypt c* 
using skm * = cr* to retrieve the message to which it subsequently outputs. 

A succeeds precisely when T succeeds, so if T outputs a valid forgery with prob- 
ability e in time t then algorithm A succeeds in time at most t + q,i(T v + Td)+ T <1 

with the same probability e. 




On the Joint Security of Encryption and Signature, Revisited 171 


Theorem 2. Let X be an (ti, qi, ei)-IND-sID-CPA secure IBE scheme and let 
OT be a (t s ,e s )- strongly unforgeable one time signature scheme. Then the en- 
cryption component of CSE(X) is ( t,qd,q s ,e)-IND-CCA secure in the presence 
of a signing oracle provided that 

e>^e s + Ci, q s +qd<qi, and t <U - T kg - T sig - q d (T v + T d ), 

where Tk g ,T s i g and T v are the maximum times for key generation, signing and 
verifying respectively in OT, and Tj, is the maximum decryption time in X. 

Proof of Theorem 03 The proof follows closely that of Theorem 1 in fj. Let V 
be an adversary against the IND-CCA security of the encryption component of 
CSE(X) in the presence of a signing oracle running in time at most t and making 
at most q s signature queries and q,i decryption queries. We use D to build an 
IND-sID-CPA adversary B against X as follows. 

Setup: B runs C>T. Key Gen to obtain a keypair (vk*,sk*) then submits ID* = 
1 1 as the target identity. B is then given master public key mpk which 
it gives to V as the challenge public key. 

Decryption queries: We partition the decryption queries into three possible 
cases and show how B responds to each case. Suppose the query is for ci- 
phertext ( vk,a,c '), and let OT.Verify(nfc, a, d) = validity. 

Case 1: vk = vk* 

If validity = 0 then B responds to the decryption query with _L. If 
validity = 1 then a forgery has been made against OT, call this event 
Forge. If Forge occurs, B aborts and outputs a random bit V . 

Case 2: vk vk* and validity = 0 

B responds to the decryption query with _L. 

Case 3: vk ^ vk* and validity = 1 

B queries the extraction oracle for identity ID = 1 \ \vk to obtain skm, 
then uses skio to decrypt c', responding to the decryption query with 
the output of the decryption operation. 

Signature queries: In response to a signature query for message m, B queries 
its extraction oracle for identity ID = 0||m to obtain skjjj which it returns 
as the signature. 

Challenge: Eventually V will output a pair of messages mo, mi. B forwards 
these messages and receives a challenge ciphertext c*. B calls OT S\gn(sk*,c*) 
to obtain a* and sends C=(vk* ,a* ,c*) to V. V may make more signature 
and decryption queries under the restriction that it must not submit to the 
decryption oracle its challenge ciphertext C. V then submits a guess b' which 
B outputs as its guess. 

B represents a legal strategy for attacking T, in particular B never requests 
the private key corresponding to the target identity ID*. Provided Forge does 
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not occur, B provides a perfect simulation for V so B succeeds with the same 
probability as V. If Forge does occur then B outputs a random bit and succeeds 
with probability Letting Prf BE [Succ] denote the probability of B outputting 
the correct bit in the IBE security game and Prp KE [Succ] denote the probability 
of V outputting the correct bit in the PKE security game, it can be seen that 

PrpK E [Succ A Forge] + ^Prp KE [Forge] - ^ 

Since I is an (U, qi , ej)-IND-sID-CPA secure IBE scheme, Pr EjE [Succ] — \ | < 
e,;. The event Forge represents a signature forgery against OT, so Prp KE [Forge] < 
e s . It follows that 

e = |prp KE [Succ] 

< |pr?KE[SuccA Forge] - ^Pr£ KE [Forge] | + 

PrjpKEpucc A Forge] + ^Pr£ KE [Forge] - ^ 

< ^P r PKE [Forge] + |prp KE [SuccA Forge] + iprp KE [Forge] - ^ 

= 2 Pr PKE[Forge] + |prf nE [Succ] - - 


The running time of B is at most t + Tj zg + qd(T v + Tj) + T sig , and it asks at 
most q s + q,i private key extraction queries, so the theorem holds. 

IBE schemes meeting the standard model security requirements include those 
of Gentry [15 and Waters j2B|. The latter results in a large public key (n+3 group 
elements), though this could be reduced in practice by generating most of the 
elements from a seed in a pseudo-random manner. We focus on the instantiation 
of our construction using Gentry’s scheme. This scheme was originally presented 
in the setting of symmetric pairings. When we translate it to the asymmetric 
setting (see the full version for details) and apply our construction at the 128-bit 
security level using BN curves with sextic twists, we obtain a combined public key 
scheme in which the public key consists of two elements of Gi and two elements 
of G 2 , giving a public key size of 1536 bits. Ciphertexts encrypt elements of G t 
and consist of an element of Gi, two elements of G t, and a verification key and 
signature from OT, so are 2304 bits plus the bit length of a verification key 
and signature in OT. Signatures consist of an element of 7L P and an element 
of G 2 , so are 768 bits in size. Here we assume that descriptions of groups and 
pairings are domain parameters that are omitted from our key size calculations. 
The security of this scheme depends on an assumption closely related to the 
decisional (/-augmented bilinear Diffie-Hellman exponent assumption. 



On the Joint Security of Encryption and Signature, Revisited 173 


This construction could be improved further using the Boneh-Katz |5J alter- 
native to the CHK transform. We omit the details in favour of our next scheme. 


5 A More Efficient Construction 

The following scheme is based on the signature scheme by Boneh and Boyen |[| 
and a KEM obtained by applying the techniques by Boyen, Mei and Waters |2j 
to the second IBE scheme by Boneh and Boyen in j3j . The schemes make use of a 
bilinear pairing e : Gi x G2 — > Gt, where the groups are of order p, and the KEM 
furthermore makes use of an always second-preimage resistant (aSec-secure) hash 
function H : Gi — > {0, 1}" _1 where 2" < p. To obtain a full encryption scheme, 
the KEM is combined with a DEM, and we assume for simplicity that the key 
space of the DEM is K = Gt- Where a binary string is treated as a member of Z p 
it is implicitly converted in the natural manner. The signature scheme supports 
messages in {0, l}" -1 , but can be extended to support message in {0, 1}* by 
using a collision resistant hash function, while the encryption scheme supports 
messages of arbitrary length due to the use of a DEM. Note that to minimize the 
public key size and ciphertext overhead in the scheme, the elements of the public 
key are placed in the group Gi. However, this implies that signatures contain an 
element of the group G2, having larger bit representations of elements. 

KeyGen(l fc ): Choose random generators g\ £ Gi, g% £ G2 and random integers 
x, y £ Z*, and compute X = gf and Y = g\. The public key is (g-i . g-2, X, Y ) 
and the private key is (x. y). 

Sign(sfc, m): To sign a message m £ {0, 1}" _1 first prepend a zero to m to give 
ml = oj | m £ {0,1}". Choose random r £ Z p . If x + ry + m' = 0 modp 
then select another r £ Z p . Compute a = g% +m +yr £ G2. The signature is 
(<7, r) £ G2 x Z p . 

Verify (p/c, cr, to): If e(X ■ g j 71 • Y r ,cr ) = e(gi,g2), where m' = 0||m, then return 
1, otherwise return 0. 

Encrypt(pA), to): To encrypt a message to £ {0, 1}*, choose random s £ Z* and 
compute ci = Y s and h = H(ci). Prepend a 1 to hto give h! = l||/i £ {0, 1}", 
and compute C2 = X s ■ g{' h . Lastly, compute the key K = e(g \ , 52 ) s G Gt 
and encrypt the message m using the DEM i.e. C3 = DEnc(K, to). The 
ciphertext is c = (ci, C2, C3). 

Decrypt(.s/c, c): To decrypt a ciphertext c = (ci, C2, C3), first compute h = H(ci) 
and prepend a 1 to ft to get ft' = l||ft. If c[ x+h ^ v ^ C2, output _L. Oth- 
erwise, compute the key K = e(c\,(±J v ) £ Gt, and output the message 
to = DDec(ftf, c 3 ). 

We note that the computational cost of encryption and signature verification 
can be reduced by adding the redundant element v = e(g-i , 52) to the public key, 
but that this will significantly increase the public key size. 
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Theorem 3. Suppose the ( t ', q, e')-SDH assumption holds in (Gi, G 2 ). Then the 
above combined public key scheme is (t, q d , q s , e)-EUF-CMA secure in the pres- 
ence of a decryption oracle given that 

q s < q, e>2e+q s /ppe2e and t < t 1 - 0(q d T p + (q d + q 2 )T e ), 

where T p is the maximum time for evaluating a pairing and T e is the maximum 
time for computing an exponentiation in Gi, G 2 and Z p . 

Theorem 4. Suppose that the hash function H is (th, effj-aSec secure, that the 
(' tdhi,Qdhi,^dhi)-DBDHI assumption holds in the groups Gi,G 2 , and that the 
DEM is (t dem ,q dem ,e dern )-IND-CCA secure. Then the combined public key 
scheme above is ( t , q d , q s , e, )-IND-CCA secure in the presence of a signing oracle 
given that 


q s <qdhi, qd<q<um, £>th + tdhi + £dem + q s /p, and 
t < t min ~ 0(q d T p + (q dhi + q d )T e ), 

where t m i n = min (th,t d hi,t dem ), T p is the maximum time for evaluating a pair- 
ing, and T e is the maximum time for computing an exponentiation in Gi,G 2 - 

The proofs of Theorems 01 and Q] can be found in the full version m- 

The above scheme provides public keys consisting of three group elements 
of Gi and one group element of G 2 . If the scheme is instantiated using BN 
curves with sextic twists mentioned above, this translates into a public key size 
of 1280 bits for a 128 bit security level. Furthermore, assuming that the DEM is 
redundancy-free (which can be achieved if the DEM is a strong pseudorandom 
permutation the total ciphertext overhead is just two group elements of Gi 
which translates into 512 bits. Signatures consist of a single group element of G 2 
and an element of Z p , and will be 768 bits. Again, we assume that descriptions 
of groups and pairings are ignored in these calculations. 

In the full version, we show how the construction can be extended to support 
tag-based encryption. This property is required to allow us to use the scheme 
to instantiate our combined signcryption, signature and encryption scheme (see 
the full version for details) . 

6 Comparison of Schemes 

In this section, we provide a comparison of the schemes arising from our IBE- 
based construction, our more efficient construction in Section 0 and the Cartesian 
product construction. In our comparison we will limit ourselves to other discrete- 
log/pairing-based schemes since provably secure (standard model) lattice-based 
schemes with short public keys are still unavailable and factoring-based schemes 
do not scale very well (for 128-bit security, the modulus would need to be > 3000 
bits which is not competitive). We will include group generators in public key 
size calculations as the required number depends on the scheme, but we allow 
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sharing of generators between signature and encryption component in Cartesian 
product instantiations to improve these constructions. Note that it is possible to 
reduce the private key of any scheme to a single short random seed by making the 
following simple modification to the scheme: to generate a public/private keypair, 
pick a random seed, generate the randomness required by the key generation 
algorithm by applying a pseudorandom generator to the seed, and generate the 
public/private keypair using this randomness, but store only the seed as the 
private key. Whenever the original private key is needed, re-compute this by 
applying the pseudorandom generator to the seed and re-run the key generation 
algorithm with the resulting randomness. This observation essentially makes the 
difference in private key sizes irrelevant, and we will not include this aspect 
in our comparison. We consider several instantiations of the Cartesian product 
construction with standard model secure encryption and signature schemes and 
give the results in Figure El 

We will focus on Cartesian product instantiations using the scheme by Boneh 
and Boyen pi] as a signature component. This scheme is among the most effi- 
cient signature schemes and additionally has a short public key. To reduce the 
public key size even further, we can remove the redundant element v = e(gi , g^) 
and place as many elements as possible in the group Gi of the pairing. The 
latter implies that signatures will be elements of G2 X which results in an 
increase in signature size. However, since the Cartesian product constructions 
should compete with the combined public key schemes in terms of public key 
size, this tradeoff is desirable. While other signature schemes could be consid- 
ered, we were not able to find a scheme providing shorter public keys without a 
significant disadvantage elsewhere. For instance, hash-based signature schemes 
give extremely short public keys (the hash function description plus the root 
digest), but result in signatures with length logarithmic in the number of mes- 
sages to be signed. The signature scheme by Hofheinz and Kiltz m has shorter 
signatures than the Boneh-Boyen scheme and a public key consisting of a few 
group elements plus a hash key, but here the hash key will be long to achieve 
provable programmability. 

For the encryption component, a relevant option is a DEM combined with 
the KEM obtained by applying the techniques by Boyen, Mei and Waters [Zj 
to the second IBE scheme of Boneh and Boyen in j3j, which also forms the 
basis of our concrete scheme. Combined with the Boneh-Boyen signature scheme, 
and assuming the group generators in the two schemes are shared, this yields 
a very efficient instantiation of the Cartesian product construction in which 
public keys consist of five group elements of Gi, one group element of G 2 (and 
a key defining a target collision resistant hash function). This is larger by two 
elements of Gi than the public key in our concrete construction from Sectional 
which translates to a difference of 512 bits. Note that signature size, ciphertext 
overhead and computation costs are the same for the Cartesian product scheme 
and our construction. 

Another encryption scheme to consider is that of Kurosawa and Desmedt 
E2j. Instantiating the Cartesian product construction with this scheme and the 
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Signature 

Scheme 

PKE 

Scheme 

Public Key 
Size 

Signature 

Size 

Ciphertext 

Overhead 

BB p. 

BB 0 + BMW fZ] 

1792 

768 

512 

BB 0 

KD |22! 

2048 

768 

640 

BB 0 

Kiltz PI 

1792 

768 

512 

CSE(Gentry) 

1536 

768 

1280 + \vkor\ + \ctot\ 

Scheme from Sec. 0 

1280 

768 

512 


Fig. 2. Comparison of schemes at the 128-bit security level 


Boneh-Boyen signature scheme yields a scheme with a public key consisting of 
six elements of Gi, one element of G 2 (and a key defining a target collision resis- 
tant hash), assuming that the Kurosawa-Desmedt scheme is implemented in Gi . 
Hence, the public key will be larger by three group elements of Gi compared 
to our concrete construction, which equates to a difference of 768 bits at the 
128-bit security level. Signature size and signing and verification costs will be 
the same as in our construction, whereas the ciphertext overhead will be slightly 
larger (an extra 128 bits) due to the requirement that the symmetric encryp- 
tion scheme used in the Kurosawa-Desmedt scheme is authenticated. However, 
decryption costs will be lower since no pairing computations are required. 

Lastly, the encryption scheme of Kiltz m might be considered. Again, com- 
bining this with the Boneh-Boyen signature scheme, and assuming group genera- 
tors are shared, will yield a Cartesian product scheme with public keys consisting 
of five elements of Gi and one element of G 2 . This is two group elements of Gi 
larger than the public key of our concrete construction, which equates to an 
increase of 512 bits at the 128-bit security level. Signature size and ciphertext 
overhead will be the same while decryption in the Cartesian product scheme will 
be more efficient, since no pairing computations are required. 

In summary, our concrete construction of a combined public key scheme ad- 
mits shorter public keys than any instantiation of the Cartesian product con- 
struction of Section 18.11 with known standard model secure encryption and sig- 
nature schemes, and furthermore enjoys compact ciphertexts and signatures. 

7 Conclusions and Future Research 

We have revisited the topic of joint security for combined public key schemes, 
focussing on the construction of schemes in the standard model, an issue not 
fully addressed in prior work. We gave a general construction for combined pub- 
lic key schemes from weakly secure IBE, as well as a more efficient concrete 
construction based on pairings. Using BN curves, these can be efficiently instan- 
tiated at high security levels and have performance that is competitive with the 
best schemes arising from the Cartesian product construction. Our results fill 
the gap left open in the original work of Haber and Pinkas Da, of constructing 
standard-model-secure combined public key schemes in which the signature and 
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encryption components share an identical keypair. An interesting open problem 
is to construct efficient combined public key schemes in the standard model not 
using pairings. For example, is it possible to obtain joint security in the discrete 
log or in the RSA setting, in the standard model? 

Our work points the way to an interesting new research area in cryptography, 
which closely relates to and generalises the topic of cryptographic agility [T| . The 
general question can be posed as follows: under what conditions is it safe to use 
the same key (or key pair) across multiple instantiations of the same or different 
cryptographic primitives? 
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Abstract. We initiate the formal treatment of cryptographic construc- 
tions ( “Polly Cracker” ) based on the hardness of computing remainders 
modulo an ideal over multivariate polynomial rings. We start by formal- 
ising the relation between the ideal remainder problem and the prob- 
lem of computing a Grobner basis. We show both positive and negative 
results. On the negative side, we define a symmetric Polly Cracker en- 
cryption scheme and prove that this scheme only achieves bounded CPA 
security. Furthermore, we show that a large class of algebraic transfor- 
mations cannot convert this scheme to a fully secure Polly- Cracker-style 
scheme. On the positive side, we formalise noisy variants of the ideal 
membership, ideal remainder, and Grobner basis problems. These prob- 
lems can be seen as natural generalisations of the LWE problem and the 
approximate GCD problem over polynomial rings. We then show that 
noisy encoding of messages results in a fully IND-CPA-secure somewhat 
homomorphic encryption scheme. Our results provide a new family of 
somewhat homomorphic encryption schemes based on new, but natural, 
hard problems. Our results also imply that Regev’s LWE-based public- 
key encryption scheme is (somewhat) multiplicatively homomorphic for 
appropriate choices of parameters. 

Keywords: Polly Cracker, Grobner bases, LWE, Noisy encoding, 
Homomorphic encryption, Public-key encryption, Provable security. 

1 Introduction 

Background. Homomorphic encryption D3 is a cryptographic primitive which 

allows performing arbitrary computations over encrypted data. From an 
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algebraic perspective, this homomorphic feature can be seen as the ability to 
evaluate multivariate polynomials over ciphertexts. Hence, an instantiation of 
homomorphic encryption over multivariate polynomials is perhaps the most nat- 
ural strategy. 

Indeed, let 1 c P = F[a;o, . . . , x n -\] be some ideal. We can encrypt a message 
to e P/1 as c = / + to for / randomly chosen in 1. Decryption is performed 
by computing remainders modulo 1. From the definition of an ideal the homo- 
morphic features of this scheme follow. The problem of computing remainders 
modulo an ideal was solved by Buchberger in jS] , where he introduced the notion 
of Grobner bases, and gave an algorithm for computing such bases. 

In fact, all known doubly homomorphic schemes are based on variants of the 
ideal remainder problem over various rings. For example in H3 the ring (p) 6 Z 
for p an odd integer is considered. In [HI] ideals in a number field play the 
same role (cf. ESI)- One can even view Regev’s LWE-based public-key encryption 
scheme m in this framework. Finally, we note that the construction displayed 
above is essentially Polly Cracker (PC) jl 7| . However, despite their simplicity, 
our confidence in PC-style schemes has been shaken as almost all such proposals 
have been broken ESI. In fact, it is a long standing open research challenge to 
propose a secure PC-style encryption scheme 0. 

Contributions & Organisation. Our contributions can be summarised as 
follows: 1) we initiate the formal treatment of PC-style schemes and characterise 
their security; 2) we show the impossibility of converting such schemes to fully 
IND-CPA-secure schemes through a large class of transformations; 3) we intro- 
duce natural noisy variants of classical problems related to Grobner bases which 
also generalise previously considered noisy problems; and 4) we present a new 
somewhat (and doubly) homomorphic encryption scheme based on a new class 
of computationally hard problems. 

In more detail, after settling notation in Sectional we formalise various prob- 
lems from commutative algebra in the language of game-based security defini- 
tions in Section 0 In particular, we show that computing remainders modulo an 
ideal with overwhelming probability is equivalent to computing a Grobner basis 
for zero-dimensional ideals. We then show that deciding ideal membership and 
computing ideal remainders are equivalent for certain choices of parameters. We 
then introduce a symmetric variant of Polly Cracker and characterise its security 
guarantees. We show that this scheme achieves bounded IND-CPA security, and 
that this level of security is the best that one can hope for: we give an attacker 
which breaks the cryptosystem once enough ciphertexts are obtained. 

In Section 0 we show the security limitations of the constructed scheme are in 
some sense intrinsic. More precisely, we show that a large class of algebraic trans- 
formation cannot turn this scheme into a (fully) IND-CPA secure and additively 
homomorphic PC-style scheme. 

To go beyond this limitation, we consider a constructions where the encod- 
ing of messages is randomised. To prove security for such schemes, we consider 
noisy variants of the ideal membership and related problems. These can be seen 
as natural generalisations of the (decisional) LWE and the approximate GCD 
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problems over polynomial rings (Section P). After formalising and justifying the 
hardness of the noisy assumptions in Section Q we show that noisy encoding of 
messages can indeed be used to construct a fully I ND- CPA-secure somewhat ho- 
momorphic scheme. This result also implies that Regev’s LWE-based public-key 
scheme is multiplicatively homomorphic under appropriate choices of parame- 
ters. Our result, together with a standard symmetric-to-asymmetric conversion 
for homomorphic schemes, provides a positive answer to the long standing open 
problem proposed by Barkee et al. p. In addition, we provide a new family of 
somewhat homomorphic schemes which are based on new natural variants of 
well-studied hard problems. Due to space limitations, we discuss concrete pa- 
rameter choices and include a reference implementation in the full version of 
the paper P . There, we also show how our scheme allows proxy re-encryption of 
ciphertexts. This re-encryption procedure can be seen as trading noise for degree 
in ciphertexts. That is, we can control the growth of the ciphertext size due to 
multiplication by tolerating more noise. We note that this technique was recently 
and independently developed in p. In P, we also show that our scheme achieves 
a limited form of key-dependent message (KDM) security in the standard model, 
where the least significant bit of the constant term of the key is encrypted. We 
leave it as an open problem to adapt the techniques of P to achieve full KDM 
security for the Polly Cracker with noise scheme. 

1.1 Related Work 

Polly Cracker. In 1993, Barkee et al. wrote a paper P whose aim was to dispel 
the urban legend that “Grobner bases are hard to compute”. Another goal of 
this paper was to direct research towards sparse systems of multivariate equa- 
tions. To do so, the authors proposed the most obvious dense Grobner-based 
cryptosystem, namely an instantiation of the construction mentioned at the be- 
ginning of the introduction. In their scheme, the public key is a set of polynomials 
{/„, ■ • • , f m - 1 } C 1 which is used to construct an element / el Encryption of 
messages m G P/I are computed as c = ^ fufi + m = / + m for / G I. The 
private key is a Grobner basis G which allows to compute m = c mod I = c 
mod G. As highlighted in P this scheme can be broken using results from m 
(cf. Theorem 0 . At about the same time, and independently from the work 
of Barkee et al., Fellows and Koblitz m proposed a framework for the design 
of public-key cryptosystems. The ideas in m were similar to Barkee et al.’s, 
but differed in some details. However, the main instantiation of such a system 
was the Polly Cracker cryptosystem. Subsequently, a variety of sparse PC-style 
schemes were proposed. The focus on sparse polynomials aimed to prevent the 
attack based on Theorem P yet almost all of these schemes were broken. We 
point the reader to m for a good survey of various constructions and attacks. 
Currently, the only PC-style scheme which is not broken is the scheme in p. This 
scheme is based on binomial ideals (which in turn are closely related to lattices). 
Not only can our constructions be seen as instantiations of Polly Cracker (with 
and without noisy encoding of messages), they also allow security proofs based on 
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the hardness of computational problems related to (multivariate) polynomial 
ideals with respect to random systems. 

Homomorphic Encryption. With respect to doubly (i.e., additively and multi- 
plicatively) homomorphic schemes, a number of different hardness assumptions 
and constructions appeared in the literature. These include the Ideal Coset Prob- 
lem of Gentry m, the approximate GCD problem over the Integers of van Dijk 
et al. na> the Polynomial Coset Problem as proposed by Smart and Vercauteren 
in ESI, the Approximate Unique Shortest Vector Problem, the Subgroup Deci- 
sion Problem, and the Differential Knapsack Vector Problem which appear in 
m- The main difference between our work and previous work is that we base 
the security of our somewhat homomorphic scheme on new computational prob- 
lems related to ideals over multivariate polynomial rings. Furthermore, due to 
the versatility of Grobner basis theory, our work can be seen as a generalisation 
of a number of known schemes and their underlying hardness assumptions. How- 
ever, while our construction is doubly homomorphic and reasonably efficient for 
low multiplicative circuit depths, it is currently an open problem how to make 
it bootstrappable and hence turn it into a fully homomorphic scheme. 

M.Q Cryptography. Our work bears some connection with public-key cryp- 
tosystems based on the hardness of solving multivariate quadratic equations 
(j\4 Q). The difference is that our cryptographic constructions enjoy strong re- 
ductions to the known and hard problem of solving a random system of equa- 
tions, whereas the bulk of work in MQ cryptography relies on heuristic security 
arguments m . In contrast, our work is more in the direction of research initiated 
by Berbain et al. 0 who proposed a stream cipher whose security was reduced 
to the difficulty of solving a system of random multivariate quadratic equations 
over F 2 . Note also that the concept of adding noise to a system of multivariate 
equations has been also proposed by Gouget and Patarin in PH for the design 
of an authentication scheme. Our work, however, presents a more general and 
complete treatment of problems related to ideals over multivariate polynomials 
- both with and without noise - and aims to provide a formal basis to assess 
the security of cryptosystems based on such problems. 

2 Preliminaries 

Notation. We write x <— y for assigning value y to a variable x, and x $ X for 
sampling x from a set X uniformly at random. If A is a probabilistic algorithm we 
write y <— $ A(xi , . . . , x„) for the action of running A on inputs xi , . . . , x n with 
uniformly chosen random coins, and assigning the result to y. For a random 
variable X we denote by [X] the support of X, i.e., the set of all values that X 
takes with non-zero probability. We use ppt for probabilistic polynomial-time. 
We call 77 (A) negligible if ( 77 (A) | € A^W. 

Commutative Algebra Notation. In Q we recall some basic definitions 
related to Grobner bases. For a more detailed treatment we refer to, for in- 
stance, m ■ We consider a polynomial ring P = F[a;o, . . . , x n -\\ over some finite 
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field (typically F g ), some monomial ordering on elements of P, and a set of 
polynomials /o, • • • , f m - 1 - We denote by M(/) the set of all monomials appearing 
in / G P. By LM(/) we denote the leading monomial appearing in / G P 
according to the chosen term ordering. We denote by LC(/) the coefficient G F 
corresponding to LM(/) in / and set LT(/) = LC(/) • LM(/). We denote by 
P«j the set of polynomials of degree < d (and analogously for the >,<,>, and 
= relations). We define P - o as the rmderhng field including 0 G F. We define 
P <0 as zero. Finally, we denote by M <m the set of all monomials < m for some 
monomial m (and analogously for the >, <,>, and = relations). We assume the 
usual power product representation for elements of P. 

3 Grobner Basis and Ideal Membership Problems 

Following im, we define a computational polynomial ring scheme. This is a gen- 
eral framework allowing to discuss in a concrete way the different families of rings 
that may be used in cryptographic applications. More formally, a computational 
polynomial ring scheme V is a sequence of probability distribution of polynomial 
ring descriptions (Pa) agn- A polynomial ring description P specifies various 
algorithms associated with P such as computing ring operations, sampling el- 
ements, testing membership, encoding of elements, ordering of monomials, etc. 
We assume each polynomial ring distribution is over n = n( A) variables, for 
some polynomial n( A), and is over a finite prime field of size g(A). 

In this work we denote by GBGen(l A , P, d) an arbitrary ppt algorithm which 
outputs a reduced Grobner basis G for some zero-dimensional ideal 2 C P such 
that every element of G is of degree at most d. Of particular interest to this 
paper is the Grobner basis generation algorithm shown in Algorithm [I] called 
GBGerid ense (-). (Algorithm ReduceGB(-) is given in [I].) We show in [T] that 
GBGeridense(-) returns a Grobner basis. Throughout the paper we assume an 
implicit dependency of various parameters associated with P on the security 
parameter. Thus, we drop A to ease notation. 


Algorithm l: Algorithm GBGen de „ S e(l A , P, d) 

1 begin 

2 if d = 0 then return {0}; 

3 for 0 < i < n do 

4 I for rrij G M <x a do 

5 dj <-$ F 9 ; g t £%•«%; 

6 return ReduceGB({aio + So, ■ ■ ■ , ain-i + S«-i}) ; 

7 end 


We can now formally define the problem of computing a Grobner basis. 

Definition 1. The Grobner basis problem is defined through the game denoted 
GB-p i GBGen(-),d,6,m as shown in Figure 0 The advantage of a ppt algorithm A in 
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solving the GB problem is defined as the probability of winning the game (i.e., the 
game returning T ). An adversary is legitimate if it calls the Sample procedure 
at most m = ro( A) times. 


SampleQ : 

begin 

I / + $ P < b ; 

/<-/-(/ mod G); 

| return /; 
end 


Finalize() : 

begin 


| return (G = G'); 


Fig. 1. Game GB PiGB Gen(-),d,i.,m 


We show in [I] that Sample returns elements of degree b which are uniformly 
distributed in (G). We recall that given a Grobner basis G of an ideal T. r = f 
mod I = f mod G is the normal form of / with respect to the ideal T. We 
sometimes drop the explicit reference to I when it is clear from the context 
which ideal we are referring to, and simply refer to r as the normal form of 
/. Computing normal forms is the ideal remainder problem which we formalise 
below. 

Definition 2. The ideal remainder problem is defined through the game shown 
in Figure IR-p,GBGen(-),d,&,m- The advantage of a ppt algorithm A in solv- 
ing the IR problem is defined as the probability of winning the game minus 
l/q d imr q ( p /(G))' An adversary is legitimate if it calls the Sample procedure at 
most m = m( A) times. 


Initialize(l* , P, d): 
begin 

IP Pa; 

G <— $ GBGen(l\P,d); 
| return (1 A ,P); 
end 


Challenge!): 




Fig. 2. Game IRp,GBGen(.),d,6,m 

In Lemma Q] below we prove a weak form of equivalence between the above 
problems. That is, we require that the IR adversary returns the correct answer 
with an overwhelming probability. This is due to the restriction that Sample 
can only be called a bounded number of times, and thus one cannot amplify the 
success probability of the IR adversary through repetition. The weak statement 
is sufficient in our context. 

Lemma 1. If the GB problem is hard, then the IR problem is weakly hard (i.e., 
cannot be solved with overwhelming probability). Furthermore, if the IR problem 
is hard then so is the GB problem. 
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The precise theorem statement and a proof is given in Q . Informally, the reduc- 
tion of the GB problem to the IR problem works as follows. Consider an arbitrary 
element gi in the Grobner basis G. We can write gi as m,; + gi for some gi < gi 
and rrii = LM ($,;). Now, assume the normal form of m,; is ri and suppose that 
Ti <rrii. This implies that m,; = hjgj + rt for some hi £ P. Hence, we have 

TOj — ri £ ( G }, an element £ (G) with leading monomial m, : . Repeat this pro- 
cess for all monomials up to and including degree d and accumulate the results 
TOj — r,; in a list G. The list G is a list of elements £ (G) with LM(G) D LM(G) 
which implies G is a Grobner basis. We note that this is the core idea behind 
the FGLM algorithm jl fi| . 

The decisional variant of the I R problem is to decide whether the normal form 
of some element modulo an ideal is zero or not, i.e., whether this element is in 
the ideal or not. This is the ideal membership problem formalised below. 

Definition 3. The ideal membership problem is defined through the the game 
denoted IM- Pi GBGen( ),d,6,m as shown in Figured The advantage of appt algorithm 
A in solving IM is defined as twice the probability of winning the game minus 1. 
An adversary is legitimate if it calls the Sample procedure at most m = m( A) 
times. 


Initialize^*, V,d): 

SampleQ: 

ChallengeQ: proc. Finalize(c'): 

begin 

1 P Pa; 

G <— $ GBGen(l*,P,d); 
(0,1}; 

| return (1*,P); 

begin 

1/^* P<b\ 

ll'^f mod G; 

| return/-/'; 
end 

begin begin 

1 / <-$ P<b] | return (c = c'); 

if c = 1 then end 

/ <- / - (/ mod G); 

| return /; 
end 


Fig. 3. Game IMp iGB Gen( ),d,6,m 

Clearly any adversary which can solve the IR problem can also solve the IM 
problem. However, if the search space of reminders modulo (G) is sufficiently 
small, i.e., when ^ dlm|F 9 f p /< G >) = poly(A), and under similar assumptions as for 
Lemma 0 one can also perform the converse reduction. That is, one can solve 
the IR problem using an oracle for the IM problem. Lemma El below proves this 
equivalence for the special case of GBGend ei ,se(‘)- Once again, this is sufficient in 
our context. As before, for Lemma El to be meaningful we require that the IM 
adversary returns the correct answer with overwhelming probability. 

Lemma 2. If the IR problem is hard, then the IM problem is weakly hard for 
poly-sized g dimF g( p /< G >). Furthermore, if the IM problem is hard, then the IR 
problem is also hard. 

Informally, the construction of an I R adversary from an IM adversary proceeds 
as follows. Let / be the challenge polynomial. The attacker simply exhaustively 
searches all elements of the ¥ q vector space P/(G) until the right remainder 
r is found. This occurs if f — r £ (G) and can be then detected using an IM 
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adversary. However, there is a technical difficulty here. In general, the attacker 
does not necessarily know the support of P/(G) and hence cannot know how 
to construct r. However, in our case we assume that GBGen(-) = GBGen c | ense (-) 
and this difficulty does not arise. In a more general setting, we would have to 
discover P/ ( G ) as well (cf. proof of Lemma . See P for the proof. 

Complexity estimation about Grobner basis computations [[], together with 
the above results, lead to the following hardness assumptions. 

Definition 4. Let V be such that n( A) = Q(A). Assume b — d > 0, b > 1, 
and that m{ A) = c ■ n(A) for a constant c > 1. Then the advantage of any ppt 
algorithm in solving the GB/IR/1M problem is negligible as function of X. 

4 Symmetric Polly Cracker: Noise-Free Version 

4.1 Homomorphic Symmetric Encryption 

Syntax. A homomorphic symmetric-key encryption scheme (HSKE) is spec- 
ified by four ppt algorithms: 1) Gen(l A ) is the key generation algorithm and 
returns a key pair (SK, PK), a message space MsgSp(PK) and a function space 
FunSp(PK). 2) Enc(m,SK) is the encryption algorithm and returns a ciphertext 
c. 3) Eval(co, . . . , ct-i, C, PK) is the evaluation algorithm and outputs a cipher- 
text c ev |. 4) Dec(c ev i,SK) is the deterministic decryption algorithm and returns 
either a message m or a special failure symbol _L. 

Correctness. An HSKE scheme is correct if for any A 6 N, any (SK, PK) g 
[Gen(l A )], any t messages m* g MsgSp(PK), any c g [Enc(m, SK)], any circuit C g 
FunSp(PK), any t ciphertexts c,; g [Enc(m,, PK)], and any evaluated ciphertext 
c ev i g [Eval(co, ..., c t _i, C, PK)], we have that Dec(c ev |,SK) = C(m 0 , . . . , m t _i). 
We do not necessarily require correctness over freshly created ciphertexts. 

Compactness. An HSKE scheme is compact if there exists a fixed polyno- 
mial bound B(-) so that for any key pair (SK, PK) g [Gen(l A )], any circuit 
C g FunSp(PK), any set of t messages m, ; g MsgSp(PK), any ciphertext c, g 
[Enc(mj, SK)], and any evaluated ciphertext c ev | g [Eval(co, . . . , c t _i, C, PK)], the 
size of c ev i is at most B(A + C(m 0 , . . . , m t _i)|) (independently of the size of C ). 

The syntax, correctness, and compactness of a homomorphic public-key en- 
cryption scheme is defined similarly. 

4.2 The Scheme 

In this section we formally define the (noise-free) symmetric Polly Cracker en- 
cryption scheme. We present a family of schemes parameterised not only by the 
underlying computational polynomial ring scheme V, but also by a Grobner ba- 
sis generation algorithm, which itself depends on a degree bound d, and a second 
degree bound b. Our parameterised scheme, which we write as SPC-p Q B Q en (.- ) a i h , 
is presented in Figure E| The message space is P/T. 

Correctness of evaluation can be verified by a straight-forward calculation. 
This scheme is not compact since multiplications square the size of the cipher- 
text. 
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Ge nT ,, GBGen( . M , „(!*) = 

begin 

P Pa; 

G <— $ GBGen(l*, P, d); 
SK < (G,P,6); 

PK <- (P,6); 
return (SK,PK); 


Enc(m,SK) : Dec(c,SK) : Eval(e 0 , . . . ,e t _i,C, PK) : 

begin begin begin 



end 


Fig. 4. The (noise-free) Symmetric Polly Cracker scheme SVC-p.QBQ < , n (.y d,b 


4.3 Security 

We will show that the above scheme only achieves a weak version of chosen- 
plaintext security, which allows access to a limited number of ciphertexts. 

Definition 5. The m-time IND-BCPA security of a (homomorphic) symmetric- 
key encryption scheme SICS is defined though a game IND-BCPA m> 5 x;f , which is 
similar to IND-CPA except that the adversary can query its encryption and left- 
or-right oracles a total of at most m = m(A) times. We say SICS is m-IND-BCPA 
secure if the advantage of any ppt adversary A, defined as twice the probability 
of wining the game minus 1 is negligible. 

Theorem 1. The scheme in Figure is to-IND-BCPA secure iff the IM problem 
is hard. 

See Q for the proof. As a corollary, observe that when m(A) = 0(\ b ) one can 
construct an adversary which breaks the IND-BCPA mi s;t£ security of SVC in 
polynomial time. Thus we can only hope to achieve security in the bounded 
model for this scheme. 

5 Symmetric-to-Asymmetric Conversion 

Our goal for the rest of the paper is to convert the above scheme to one which is 
both fully IND-CPA secure and somewhat homomorphic. Once we achieve this, it 
is possible to construct a public-key scheme using the homomorphic features of 
the symmetric scheme by applying various generic conversions. In the literature 
there are two prominent such conversions: 

(A) Publish a set of encryptions of zero Fq as part of the public key. To encrypt 

m £ {0, 1} compute c = fi + m where S' is a sparse subset of F 0 |I;’> : • 

(B) Publish two sets Fo and F- t of encryptions of zero and one as part of the 

public key. To encrypt m £ {0, 1} compute c = & + Y^fes x fh 

with So and Si being sparse subsets of F 0 and F x respectively such that 
the parity of |Si| is m. Decryption checks whether Dec(c, SK) is even or 
odd EH- 

The security of the above transformations rests upon the (computational) in- 
distinguishability of asymmetric ciphertexts from those produced directly using 
the symmetric encryption algorithm. As noted above, since SVC is not IND-CPA 
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secure the above transformations cannot be used. However, one could envisage 
a larger class of transformations which might lead to a fully secure additively 
homomorphic SKE (or equivalently an additively homomorphic PKE) scheme. 
In this section we rule out a large class of such transformations. To this end, we 
consider PKE schemes which lie within the following design methodology. 

1. The secret key is the Grobner basis G of a zero-dimensional ideal I c P. 
The decryption algorithm computes c mod 1 = c mod G (perhaps together 
with some post-processing such as a mod 2 operation). Thus, the message 
space is (essentially) P/1. We assume that P/1 is known. 

2. The public key consists of elements fa G P. We assume that the remainder 
of these elements modulo the ideal 1, i.e., r,; := fa mod 1, are known. 

3. A ciphertext is computed using ring operations. In other words, it can be 
expressed as / = 5Zi=o hi. fi + r - Here fa are as in the public key, hi are some 
polynomials (possibility depending on fa), and r is an encoding in P/1 of 
the message. 

4. The construction of the ciphertext does not encode knowledge of 1 beyond 

fa. That is, we have hi fa + r ) m °d E = Silo 1 hif% + r ■ Hence we 

have that (Sil o 1 hiXi + rj G P /I as an element of P. 

5. The security of the scheme relies on the fact that elements / produced at 
step (3) are computationally indistinguishable from random elements in P<&. 

Condition 4 imposes some real restrictions on the set of allowed transformation, 
but strikes a reasonable balance between allowing a general statement without 
ruling out too large a class of conversions. It requires that the r* and r do not 
encode any information about the secret key. We currently require this restric- 
tion on the “expressive power” of r ? ; and r so as to make a general impossibility 
statement. If rj and r produce a non-zero element in 1 using some arbitrary 
algorithm A, we are unable to prove anything about the transformation. Fur- 
thermore, it is plausible that for any given A a similar impossibility result can 
be obtained if the remaining conditions hold. 

Note that the two transformations above are special linear cases of this 
methodology. For transformation (A) we have that fa £ 1 (hence r,- = 0), 
hi G {0, 1} and r = m. For transformation (B) we have '/y = 0 if fa G Fq, 
rt = 1 if fa G -Fi, hi G {0, 1}, and r = 0. 

To show that any conversion of the above form cannot lead to an I ND- CPA- 
secure public-key scheme, we will use the following theorem which was also used 
in jSj to discourage the use of Grobner bases for public-key schemes. 

Theorem 2 ( jl2}). Let 1 = (/ 0 , . . . , f m - 1 ) be an ideal in the polynomial ring 
P = F[a;o, ■ • • , x n -\ ],h be such that deg (h) < D, and 

h — (h mod 1) = ^2 hi fa, where hi G P and deg (hi fa) < D. 
i=0 

Let G be the output of some Grobner basis computation algorithm up to degree 
D. Then h mod 1 can be computed by polynomial reduction of h via G. 
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The main result of this section is a consequence of the above theorem. It essen- 
tially states that uniformly sampling elements of the ideal up to some degree is 
equivalent to compute a Grobner basis for the ideal. Note that in itself Theorem|2l 
does not provide this result, since there is no assumption about the “quality” of 
h. Hence, to prove this result we first show that the above methodology implies 
sampling as in Theorem |2| but with uniformly random output. Theorem |5| then 
allows us to compute normal forms which (because of the randomness of h) al- 
lows the computation of a Grobner basis by Lemma QJ The proof of Theorem E3 
is given in [T], 

Theorem 3. Let G = {gen • ■ ■ , g s —i } be the reduced Grobner basis of the zero- 
dimensional ideal I in the polynomial ring P = F[xo, . . . , x n _i] where each 
deg(<?i) < d. Assume that P/I is known. Furthermore, let F = {/o, . . . , /jv-i} 
be a set of polynomials with known ri := fa mod I. Let A be a ppt algorithm 
which given F produces elements f = Y^hifa + r deg (/) < b, hi S P, 

b < B, deg(/ij/i) < B, and (/ modi) = hi r i + r - Suppose further that 
the outputs of A are computationally indistinguishable from random elements in 
P<b- Then there exists an algorithm which computes a Grobner basis fori from 
F in 0(n iB ) field operations. 

Therefore, if for some degree b > d computationally uniform elements of P<b 
can be produced using the public key /o, • • • , /jv-i, there is an attacker which 
recovers the secret key go, - ■ ■ ,9s - 1 in essentially the same complexity. Hence, 
while conceptually simple and provably secure up to some bound, our symmetric 
Polly Cracker scheme SVC-p ,GBGen(-), d,b does not provide a valid building block 
for constructing a fully homomorphic public-key encryption scheme. 

Remark. Although the above impossibility result is presented for public- key en- 
cryption schemes, due to the equivalence result of E3, it also rules out the exis- 
tence of additively homomorphic symmetric PC-style schemes with full IND-CPA 
security. 

6 Grobner Bases with Noise 

In this section, we introduce noisy variants of the problems presented in Sec- 
tion OJ The goal is to lift the restriction on the number of samples that the ad- 
versary can obtain, and following a similar design methodology to Polly Cracker, 
construct an I ND- CPA-secure scheme. That is, we consider problems which natu- 
rally arise if we consider noisy encoding of messages in SVC. Similarly to jl .''112 til 
we expect a problem which is efficiently solvable in the noise-free setting to be 
hard in the noisy setting. We will justify this assumption in Section Id. II by argu- 
ing that our construction can be seen as a generalisation of jl 3l2d| . The games 
below will be parameterised by a noise distribution. The discrete Gaussian dis- 
tribution - denoted for Xa,q for standard deviation aq and modulus q - is of 
particular interest to us (cf. [25|h 

We now define a noisy variant of the Grobner basis problem. The task here 
is still to compute a Grobner basis for some ideal I. However, we are now only 
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given access to a noisy sample oracle which provides polynomials which axe not 
necessarily in X but rather are “close” approximations to elements of X. Here 
the term “close” is made precise using a noise distribution \ on P/X. 

Definition 6. The Grobner basis with noise problem is defined through the game 
GBN-p G B Gen( ),d,6,x as shown in Figured The advantage of a ppt algorithm A in 
solving the GBN problem is the probability of winning the game. 


Initialize^*, P,d): ! 

SampleQ: 

Finalize(G'): 

begin 

1 P <-$ Pa; 

G <— $ GBGen(l*,P,d); 

| return (l\P); 

end | 

begin 

|/<-$ p<!>; 

/-/-(/ mod G) + e; 

| return /; 

begin 

| return (G = G‘)\ 


Fig. 5. Game GBN PiGB Gen( ),d,i.,x 

The essential difference between the noisy and noise- free versions of the GB prob- 
lem is that by adding noise we have eliminated the restriction on the adversary 
to call the Sample oracle a bounded number of times. The choice of % greatly 
influences the hardness of the GBN problem. 

As in the noise-free setting, we can ask various questions about the ideal X 
spanned by G. One such example is solving the ideal remainder problem with 
access to noisy samples from X. 

Definition 7. The ideal remainder with noise problem is defined through the 
game IRN-p^BGenPbd.b,* as shown in Figure 0 The advantage of a ppt algorithm 
A is defined as the probability of winning the game minus l/q(\) dimr ( p P G ^ . 


Initialize^*, P,d): 
begin 

IP Pa; 

G <— $ GBGen(l\P,d); 
| return (l\ P); 
end 


Sample(): 



| return /; 


Challenge!): Finalize(r'): 



Fig. 6. Game IRNp iGB Gen( ),d,i,,x 

In fact, the above two problems are equivalent as shown in the lemma below. 
Compared to the noise- free version, we no longer need the IM adversary to be 
overwhelmingly successful, as there are no restrictions on the number of calls 
that can be made to the Sample procedure. The proof is given in []] . 

Lemma 3. The IRN problem is hard iff the GBN problem is hard. 

Similarly to the noise-free setting, the ideal membership with noise (IMN) prob- 
lem is the decisional variant of the IRN (and hence the GBN) problem. However, 
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in the noisy setting we have the choice between a noisy and noise-free challenge 
polynomial. In the definition below noisy challenges are provided and the ad- 
versary wins the game if he can distinguish whether an element was sampled 
uniformly from P<b or from I + \- 

Definition 8. The ideal membership with noise problem is defined through the 
game IMN-p iGBGen (.) irfibiX as shown in Figure [7| The advantage of a ppt algorithm 
A in solving the IMN problem is as twice the probability of winning the game 
minus 1. 


Initialize^*, P,d): ! 

5ample(): ChallengeQ: 

Finalize(c'): 

begin 

begin 

begin 

begin 

IP Pa; 

/ p< b -, 

/ P<*; 

| return (o' = c); 

G <— $ GBGen(l*, P, d)\ 


if c = 1 then 


{0,1}; 

/'<-/ m °d G; 

e <— $ x; 


| return (l\ P); 

/ <- / - /' + e; 

f^f-U mod G) + e: 



return /; 

return /; 



end 

end 



Fig. 7. Game IMNp G BGen( ),(i,6,x 

Our definition of the IMN problem can be seen as an instantiation of Gentry’s 
ideal coset problem HHI since both problems require distinguishing uniformly 
chosen elements in P< b from those in 1 + Our problem, however, assumes 
noisy samples since it is clear from Section 0 that otherwise the problem is easy. 

Again, we would like to have a decision-to-search reduction; that is, we would 
like to have an equivalence between the IRN and IMN problems. This equivalence 
holds when the search space of remainders is polynomial in A, namely when 
g(A) dlm,F « (P( A )/ GBGen (j) _ poly (A). The intuition behind this reduction is that 
the adversary can exhaustively search the quotient ring and use the IMN oracle 
to verify his guess. Once again, a technical difficulty arises as the adversary 
does not know the search space P/T and thus has to discover it during the 
attack. Again, the I M N adversary provides an oracle to accomplish this. This is 
formalised in the lemma below whose proof is in P . 

Lemma 4. The IMN problem is hard iff the IRN problem is hard for poly-sized 
g dim Fg (P/(Gfy 

Hence GBN is equivalent to IRN and IRN is equivalent to IMN under some addi- 
tional assumptions about the size P/T. Finally, for d = 1 (but arbitrarily b ) we 
show that if we can solve the GBN problem on average, then we can also solve 
it for worst-case instances. This is turn increases our confidence in hardness of 
the GBN problem. The proof of the follow lemma is given in Q. 

Lemma 5. If the GBN problem is worst-case hard, then it is also average-case 
hard. 

6.1 Hardness Assumptions and Justifications 

Let us now investigate the hardness of the GBN, IRN, and IMN problems. 
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Relation to LWE. It is easy to see that GBN can be considered as a non- 
linear generalisation of LWE if q = poly(n) is a prime. In other words, we have 
equivalence between these problems when b = d = 1 in GBN. This is formalised 
below (proof is in Q). 

Lemma 6. If the LWE problem is hard then the GBN problem is also hard for 
b=d= 1. 

In the noise-free setting we assume that solving systems of equations of degree 
greater than 1 is harder than solving those of degree 1. More generally, we 
assume that equations of degree b > b' are harder to solve than those of degree 
b'. Intuitively, equations of degree b' can be seen as those of degree b where 
the coefficients of higher degree monomials are set to zero. However, formalising 
this intuition for an adversary which expects uniformly distributed equations of 
degree b seems futile since producing such equations is equivalent to solving the 
system by Theorem 0 

In the noisy setting this equivalence (i.e., Theorem EJ) between sampling and 
solving no longer holds. However, we still need to deal with the distribution of 
noise. One strategy to show that difficulty increases with the degree parameter 
b is to allow for an increase of the noise level in the samples. We formalise this 
below (a proof is given in P ) . 

Lemma 7. If the GBN problem is hard for degree 2b with noise Xy/Na 2 q q> ^ = 
( n ^ b ), then it is also hard for degree b with noise Xa,q- 

Relation to the Approximate GCD Problem. The GBN problem for n = 1 
is the approximate GCD problem over F g [;c] . Contrary to the approximate GCD 
problem over the integers (cf. m, this problem has not yet received much atten- 
tion, and hence it is unclear under which parameters it is hard. However, as we 
discuss in jT] . the notion of a Grobner basis can be extended to Z[rr 0 , ■ ■ • , x„_i], 
which in turn implies a version of the GBN problem over Z. This can be seen as 
a direct generalisation of the approximate GCD problem in Z. 

The Case q = 2. Recall that if b = d = 1 we have an equivalence with the LWE 
problem (or the well-known problem of learning parity with noise (LPN) if q = 2). 
More generally, for d = 1 we can reduce Max-3SAT instances to GBN instances by 
translating each clause individually to a Boolean polynomial. However, in Max- 
3SAT the number of samples is bounded and hence this reduction only shows 
the hardness of GBN with a bounded number of samples. Still, the Grobner basis 
returned by an arbitrary algorithm A solving GBN using a bounded number of 
samples will provide a solution to the Max-3SAT problem. Vice versa, we may 
convert a GBN instance for d = 1 to a Max-SAT instance (more precisely Partial 
Max-Sat) by running an ANF to CNF conversion algorithm El- 

Known Attacks. Finally, we consider known attacks to understand the dif- 
ficulty of the GBN problem. Recall that if b = 1 Lemma 0 states that we can 
solve the LWE problem if we can solve the GBN problem. The converse also 
applies. Indeed, for any b > d and d = 1 the best known attack against the 
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GBN problem for d = 1 is to reduce it to the LWE problem, similarly to the 
linearisation technique used for solving non-linear systems of equations in the 
noise-free setting. Let N = ( n ( h ) be the number of monomials up to degree b. 
Let M. : P — ► F^ be a function which maps polynomials in P to vectors in 
by assigning the i-th component of the image vector the coefficient of the i-th 
monomial £ M<t,. Then, in order to reduce GBN with n variables and degree 
b to LWE with N variables, reply to each LWE Sample query by calling the 
GBN Sample oracle to retrieve /, compute v = M(f) and return (a, b) with 
a = (vn-i, ■ ■ - ,vi) and b = —Vo- When the LWE adversary queries Finalize on 
s, query the GBN Finalize on [a;o — so, ■ ■ ■ , x n -\ — s n -i]- Correctness follows 
from the correctness of linearisation in the noise- free setting |3|. Furthermore, 
the LWE problem in N variables and with respect to the discrete Ga ussian noise 
distribution Xa,q is considered to be hard if a > 3/2 • max( ^ , 2~ 2%/jV log q los d ) 
for an appropriate choice of 6 which is the quality of the approximation for the 
shortest vector problem. With current lattice algorithms S = 1.01 is hard and 
1.005 infeasible El 

Perhaps the most interesting attack on LWE from the perspective of this work 
is that due to Arora and Ge j3| which reduces the problem of solving linear 
systems with noise to the problem of solving (structured) non-linear noise-free 
systems. We may apply this technique directly to GBN, i.e., without going to 
LWE first, and reduce it to GB with large b. However, it seems this approach does 
not improve the asymptotic complexity of the attack. Finally, certain conditions 
to rule out exhaustive search must be imposed. 

Definition 9. Let b, d £ N with b > d > 1. Let V be a polynomial ring distri- 
bution and Xa,q be the discrete Gaussian distribution. Suppose the parameters 
n, a, and q (all being a function of X) satisfy the following set of conditions: 
1) n> \/A; 2) ( aq) ndn « 2 X so exhaustive search over the noise or the secret key 
space is ruled out; 3) aq > 8 as suggested in JfXSj : and 4) for N := ( n )J" 6 ), and 

6 := 1.005 we have a > 3/2 • max{i, 2 ~ 2 '/ jV1 °E'? 1 og< ! >} ; an( ; hence the best known 
attacks against the LWE problem are ruled out \2Aj2S\l . Then the advantage of 
any ppt algorithm in solving the GBN, IRN, and IMN problems is negligible. 

7 Polly Cracker with Noise 

In this section we present a fully I ND- CPA-secure PC-style symmetric encryption 
scheme. Our parameterised scheme, SVCM vfiBGen(-),d,b:x: shown in Figure G3 
Here we represent elements in F, as integers in the interval (—[§], LfJ]- This 
representation is also used in the definition of noise. All the computations are 
performed in the ring P as generated by Gen. Furthermore we assume that 
gcd(2,gr) = 1. This condition is needed for the correctness and the security of 
our scheme. The message space is F 2 (although we remark that this can be 
generalised to other small fields). Correctness of evaluation up to overflows can 
be established by a straight-forward calculation. 

Permitted Circuits. Circuits composed of Add and Mul gates can be seen 
as multivariate Boolean polynomials in t variables over F 2 . We can consider the 
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Gen-p, GBGen( . MAx (l A ): Enc(m,SK): Dec(c,SK): 1 

svatfco, • • • , ct_i, C, PK): 

begin begin begin 

P *— $ Pa; f^$P=b\ 1 m! *— c mod G; 1 

G <-* GBGen(l\ P,d); f <- f mod G; \m ^ m' mod 2; 

SK «— (G, P, 6, x); /<-/-/'; end | 

PK <— (P, 6, x); e ■*— $ x; 

return (SK, PK) ; c <- / + 2e + m; 

end 

begin 

apply Add and Mul gates 
of C over P; 
return the result; 
end 


Fig. 8. The Symmetric Polly Cracker with Noise scheme <S'PCA/’-p,GBGen( ),<i,6,x 


generalisation of this set of polynomials to F g (i.e., the coefficients are in F g ). 
In order to define the set of permitted circuits (which will be parameterised by 
a > 0) we first embed the Boolean polynomials into the ring of polynomials 
over Z. For Xa,q we have that the probability of the noise being larger than 
kaq is < exp(— k?/2). We now say that a circuit is valid if for any (sq , . . . , s t - 1 ) 
with Si < taq we have that the outputs are less than q for some parameter t. 
This restriction ensures that no overflows occur when polynomials are evaluated 
over F f; . In [T] we discuss how to set a and q in order to allow for evaluation of 
polynomials of some fixed degree p and provide a Sage implementation jSD| ■ 

Compactness. Additions do not increase the size of the ciphertext, but they do 
increase the size of the error by at most one bit. Multiplications square the size 
of the ciphertext and the bit-size of the the noise by approximately log(5eoei) 
bits. In P we also provide a discussion on how to trade ciphertext size with 
noise, an avenue which is investigated independently in [Zj. The theorem below, 
which is proven in 0 , states the security properties of the above scheme. 

Theorem 4. If the I M N problem is hard, then the scheme in Figure 0 is secure. 

The above theorem together with the recent results in which establish 
the equivalence of symmetric and asymmetric homomorphic encryption schemes 
leads to the first provably secure public-key encryption scheme from assumptions 
related to Grobner bases for random systems. This provides a positive answer 
to the challenges raised by Barkee et al. 0 (and later also by Gentry [IS!). We 
note here that the transformation - as briefly described in Section 0 - only use 
the additive features of the scheme and does not require full homomorphicity. 
Acknowledgments. We would like to thank Carlos Cid for valuable feedback and 
discussions on this work. We would also like to thank Frederik Armknecht for 
helpful discussions on an earlier draft of this work. 
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Abstract. Oblivious RAM is a useful primitive that allows a client to hide its 
data access patterns from an untrusted server in storage outsourcing applications. 
Until recently, most prior works on Oblivious RAM aim to optimize its amortized 
cost, while suffering from linear or even higher worst-case cost. Such poor worst- 
case behavior renders these schemes impractical in realistic settings, since a data 
access request can occasionally be blocked waiting for an unreasonably large 
number of operations to complete. 

This paper proposes novel Oblivious RAM constructions that achieves poly- 
logarithmic worst-case cost, while consuming constant client-side storage. To 
achieve the desired worst-case asymptotic performance, we propose a novel tech- 
nique in which we organize the O-RAM storage into a binary tree over data buck- 
ets, while moving data blocks obliviously along tree edges. 


1 Introduction 

Oblivious RAM (or O-RAM for short) MO IH 01 ^ a useful primitive for en- 
abling privacy-preserving outsourced storage, where a client stores its data at a remote 
untrusted server. While standard encryption techniques allow the client to hide the con- 
tents of the data from the server, they do not guard the access patterns. As a result, the 
server can still learn sensitive information by examining the access patterns. For exam- 
ple, Pinkas and Reinman Oi gave an example in which a sequence of data access oper- 
ations to specific locations (m, U2, U3) can indicate a certain stock trading transaction, 
and such financial information is often considered highly sensitive by organizations and 
individuals alike. 

Oblivious RAM allows the client to completely hide its data access patterns from 
the untrusted server. It can be used in conjunction with encryption, to enable stronger 
privacy guarantees in outsourced storage applications. Not surprisingly, the client has 
to pay a certain cost in order to hide its access patterns from the server. Among all 
prior work in this space, the seminal constructions recently proposed by Goodrich and 
Mitzenmacher 0 ] achieve the best asymptotic performance in terms of amortized cost. 

* This material is based upon work partially supported by the Air Force Office of Scientific 
Research under MURI Grant No. 22178970-4170 and No. FA9550-08- 1-0352 Any opinions, 
findings, and conclusions or recommendations expressed in this material are those of the au- 
thors) and do not necessarily reflect the views of the Air Force Office of Scientific Research. 

** This material is based upon work partially supported by the National Science Foundation Grad- 
uate Research Fellowship under Grant No. DGE-0946797. 

D.H. Lee and X. Wang (Eds.): ASIACRYPT 2011, LNCS 7073, pp. 197- |-214,| 201 1. 
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Table 1. Our contributions. The O notation hides poly log log N terms. The bounds for this paper 
hold with high probability 1 — assuming that the total number of data access requests 

M = poly (IV), and that the block size B > c log N bits, for any constant c > 1. For a more 
precise statement of our bounds, please refer to Section^] The BST bucket construction is due to 
an O-RAM construction by Damgard, Meldgaard, and Nielsen 0). 


Scheme 

Amortized Cost 

Worst-case Cost 

Client Storage 

Server Storage 

GO [6] 

0((logiV) 3 ) 

0(N (log IV) 2 ) 

0(1) 

0(N log N) 

WS [16] 

0((logA) 2 ) 

O(NlogN) 

o(Vn) 

0(N log N) 

WSC [17] 

0(log N log log N) 

0(N log log N) 

o(Vn) 

0(N ) 

PR [12] 

0((logNY) 

0(N log N) 

0(1) 

0(N) 

GM [7] 

0((logA) 2 ) 

0(N log N) 

0(1) 

0(N ) 

O(logJV) 

0(N) 

o(Vn ) 

0(N ) 

BMP [3] 

0(VN) 

o(VN) 

o(VN) 

0(N ) 

SSS [15] 

0((loglV) 2 ) 

o(VN) 

o(VN) 

0(N) 

This paper 

Trivial Bucket 

0((logiV) 3 ) 

O((logA0 3 ) 

0(1) 

O(NlogN) 

Square-Root Bucket 

0((loglV) 2 - 5 ) 

6((iogJV) 3 ) 

0(1) 

0(N log N) 

BST Bucket 

0((logA) 2 ) 

0((log IV) 3 ) 

0(1) 

0(N log N) 


Specifically, let N denote the maximum capacity of the O-RAM. Goodrich and Mitzen- 
macher show that with 0(1) client-side storage, one can achieve 0((log N) 2 ) amor- 
tized cost, i.e., each oblivious data request translates into 0((log N) 2 ) non-oblivious 
data access operations on average. Goodrich and Mitzenmacher also show that with 
0(sfN) client-side storage, one can achieve 0(log N) amortized cost 0]. 

O-RAM with sublinear worst-case cost. Until recently, most prior work on O-RAM 
optimizes for the amortized cost dEmum , while not giving much consideration to 
the worst-case cost. Specifically, while achieving logarithmic or poly-logarithmic amor- 
tized cost, these constructions Jo, 0, 113^ S3] have a worst-case cost of f2(N), due to the 
occasional reshuffling operations which can take up to f2(N) time. Such f2(N) worst- 
case behavior renders these schemes impractical in real-world applications; since every 
now and then, a data request can be blocked waiting for fi(N) operations to complete. 
When this happens, the perceived waiting time for the user would be unacceptable. 

The research community has only recently started to investigate O-RAMs with sub- 
linear worst-case cost {j, M51 . Boneh, Mazieres, and Popa O proposed an O-RAM 
with 0(y/N) worst-case cost, however, at the expense of 0(VN) (rather than poly- 
log) amortized cost. Stefanov, Shi, and Song G] recently proposed an O-RAM with 
0(VN) worst-case cost , 0((log TV) 2 ) amortized cost, and 0(\/lV) client-side storage. 


1.1 Our Contributions 

O-RAM with poly-log worst-case cost, and constant client-side storage. This pa- 
per proposes novel O-RAM constructions that achieve both poly-log amortized and 
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worst-case cost, while consuming 0(1) client-side storage, and 0(N log N) server- 
side storage. We offer two variants of our construction. The simpler variant (instantiated 
with the trivial bucket O-RAM) achieves 0((log TV) 3 ) amortized and worst-case cost. A 
slightly more sophisticated variant (instantiated with the Square-Root bucket O-RAM) 
achieves 0((log TV) 2 - 5 ) amortized cost, and 0((log TV) 3 ) worst-case cost. We use the 

0 notation to hide poly log log terms from the asymptotic bounds. 

These afore-mentioned bounds hold with very high probability (i.e., at least 1 — 
poiy(iV) )’ un d er realistic assumptions that the number of data requests M = poly (TV), 
and that the block size B > clog N bits for any constant c > 1. 

Novel binary-tree based technique. Most existing constructions JEHIHO! are 
based on hierarchical solution initially proposed by Goldreich and Ostrovsky 0, and 
they suffer from J ?(TV) worst-case cost due to the occasional reshuffling operation that 
can take up to J?(TV) time. Therefore, to reduce the worst-case cost, we wish to some- 
how spread the cost of reshuffling over time, so the worst-case cost can be amortized 
towards each O-RAM operation. 

Unfortunately, due to certain technical constraints imposed by these constructions 0 

01 Eld , it does not seem possible to directly spread the cost of reshuffling over time. 
As a result, we propose a novel technique called the binary-tree based construction 
(Section 0). Basically, the server-side O-RAM storage is organized into a binary tree 
over small data buckets. Data blocks are evicted in an oblivious fashion along tree 
edges from the root bucket to the leaf buckets. While in spirit, the binary-tree based 
construction is trying to spread the reshuffling cost over time; in reality, its operational 
mechanisms bear little resemblance to prior schemes Q, LJ, Efl] based on Goldreich 
and Ostrovsky’s original hierarchical solution 0. Therefore, this represents an entirely 
new technique which has not been previously studied in the O-RAM literature. 

While the basic binary-tree based construction achieves poly-logarithmic amortized 
and worst-case cost, it requires ^ blocks of client-side storage for some constant c > 
1. To reduce the client-side storage, we recursively apply our O-RAM construction 
over the index structure. Instead of storing the index structure on the client side, we 
store it in a separate and smaller O-RAM on the server side. We achieve 0(1) client- 
side storage through recursive application of our O-RAM construction over the index 
structure (Section^. 

Conceptual simplicity. Another notable characteristic of our constructions is their rel- 
ative conceptual simplicity in comparison with most other existing constructions 00 
EMI . In particular, the simpler variant of our construction (based on the trivial bucket 
O-RAM as described in Section0) achieves 0((log TV ) 3 ) amortized and worst-case cost 
while requiring no oblivious sorting or reshuffling, no hashing or Cuckoo hashing (or 
its oblivious simulation such as in the Goodrich-Mitzenmacher construction 0). All 
O-RAM read and write operation behave uniformly in this simpler variant, and cost the 
same asymptotically. 

1.2 Related Work 

Oblivious RAM was first investigated by Goldreich and Ostrovsky 00E1 in the 
context of protecting software from piracy, and efficient simulation of programs on 
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oblivious RAMs. Apart from proposing a seminal hierarchical solution with O ( (log N ) 3 ) 
amortized cost, Goldreich and Ostrovsky |0] also demonstrate the following lower- 
bound: for an O-RAM of capacity N, the client has to pay an amortized cost of at 
least l2(log N). Recently, Beame and Machmouchi J2l improved the lower bound to 
f2(log N log log N) . 

Since the first investigation of Oblivious RAM by Goldreich and Ostrovsky |0, 6, 
El, several constructions have been proposed subsequently [3,7, 12, 15, 16], Among 
these, the seminal constructions recently proposed by Goodrich and Mitzenmacher Q] 
achieve the best asymptotic performance in terms of amortized cost: with 0(1) client- 
side storage, their construction achieves 0((log N) 2 ) amortized cost; and with 0(\/~N) 
client-side storage, their construction achieves 0(log N) amortized cost fl]. Pinkas 
and Reinman [12] also showed a similar result for the 0(1) client-side storage case; 
however, some researchers have pointed out a security flaw in their construction Si , 
which the authors of El have promised to fix in a future journal version. 

For a fairly long time, almost all research in this space aimed to optimize the amor- 
tized cost, while neglecting the worst-case cost. Only very recently did the research 
community start to investigate O-RAM constructions with sublinear worst-case cost. As 
mentioned earlier, there have been two recent works §E1 aimed at achieving sublinear 
worst-case cost and making O-RAM practical. Boneh,Mazieres, and Popa Q] achieve 
0{yfN) worst-case cost, however, at the expense of 0{yfN) amortized cost. Stefanov, 
Shi, and Song lEl recently proposed a novel O-RAM construction with 0(y/N) worst- 
case cost, 0((log N) 2 ) amortized cost, and 0(\/~N) client-side storage. Apart from 
this, Stefanov, Shi, and Song also offered another construction geared towards practi- 
cal performance rather than asymptotics. This practical construction uses linear amount 
of client storage (with a very small constant), and achieves 0(log N ) amortized cost 
and 0(VN) worst-case cost. Under realistic settings, it achieves 20 — 30 X amortized 
cost, while storing 0.01% — 0.3% amount of total data at the client. To the best of our 
knowledge, this is the most practical scheme known to date. 

We note that the hierarchical aspect of our binary-tree technique is partially inspired 
by the hierarchical solution originally proposed by Goldreich and Ostrovsky |0], and 
later adopted in many constructions H, [lj, Hal ; while the eviction aspect is partially 
inspired by the background eviction idea originally proposed by Stefanov, Shi, and 
Song El- 

Our binary tree technique may also be superficially reminiscent of a construction by 
Damgard, Meldgaar, and Nielsen @]. However, apart from that fact that both schemes 
rely on a binary tree, the internal mechanisms of our construction and the Damgard- 
Meldgaar-Nielsen construction are fundamentally different. Specifically, Damgard et 
al. primarily aim to avoid the need of random oracle or pseudo-random function, rather 
than improve worst-case cost. Their construction uses a binary search tree, and requires 
periodic reshuffling operations that can take 0(N log N) time. In contrast, we use a bi- 
nary tree (instead of a binary search tree), and we use a background eviction mechanism 
to circumvent the need for reshuffling. 

Table [I] illustrates the asymptotic performance characteristics of various existing 
schemes, and positions our work in perspective of related work. 
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Concurrent/subsequent work. In concurrent/subsequent work, Goodrich et al. |0] and 
Kushilevitz et al. IHCll also came up novel O-RAM constructions with poly-logarithmic 
overhead. Specifically, the construction by Goodrich et al. achieves 0((log N ) 2 ) worst- 
case cost with 0(1) memory; and and Kushilevitz et al. achieve 0( ) ■ Due to a 

larger constant in their asymptotic notations, in realistic scenarios, our scheme with the 
trivial bucket O-RAM is likely the most practical when the client-side storage is 0(1). 


2 Preliminaries 

Let N denote the O-RAM capacity, i.e., the maximum number of data blocks that an 
O-RAM can store. We assume that data is fetched and stored in atomic units called 
blocks. Let B denote the block size in terms of the number of bits. We assume that the 
block size B > clog N, for some c > 1. Notice that this is true in almost all practical 
scenarios. We assume that each block has a global identifier u £ U , where U denotes 
the universe of identifiers. 

Throughout the paper, we use the asymptotic notation 0(f(N)) meaning 
0(f(N)po\y log log N) as a short-hand for hiding poly log log N terms. 


2.1 Defining O-RAM with Enriched Operations 

The standard O-RAM adopted in prior work dimum exports a Read and a Write 
interfaces. To hide whether the operation is a read or a write, either operation will 
generate both a read and a write to the O-RAM. 

In this paper, we consider O-RAMs that support a few enriched operations. There- 
fore, we propose a modified O-RAM definition, exporting a Read And Remove primi- 
tive, and an Add primitive. We later show that given these two primitives, we can easily 
implement the standard O-RAM Read and Write operations. Moreover, given these two 
primitives, we can also support an enriched operation called Pop, which will be later 
needed in our constructions. Therefore, our modified O-RAM definition is more general 
than the standard O-RAM notion. The same modified O-RAM notion was adopted in 
the work by Stefanov, Shi, and Song 0. 

Definition 1. An Oblivious RAM (with enriched operations) is a suite of interactive 
protocols between a client and a server, comprising the following: 

ReadAndRemove(u): Given a private input u eW which is a block identifier, the client 
performs an interactive protocol with the server to retrieve a block identified by u, 
and then remove it from the O-RAM. If u exists in the O-RAM, the content of the 
block data is returned to the client. Otherwise, _L is returned. 

Add(u, data): The client is given private inputs ugM and data G {0, 1} B , represent- 
ing a block identifier and some data content respectively. This operation must be 
immediately preceded by Read And Remove(u) such that block u no longer resides 
in the O-RAM. The client then performs an interactive protocol with the server to 
write content data to the block identified by u, which is added to the O-RAM. 
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Definition 2 (Security definition). Let y := ((op 1; arg x ), (op 2 , arg 2 ), . . . , (op M , arg M )) 
denote a data request sequence of length M. Each op, denotes a Read And Remove or 
an Add operation. Moreover, ;/ op, is a Read And Remove operation, then arg, = u,, 
else i/op, is an Add operation, then arg, = (uj, data,), where u, denotes the identifier 
of the block being read or added, and data, denotes the data content being written in 
the second case. Recall that (/op, is an Add operation with argument (u,, data,), then 
op,_ j must be a ReadAndRemove operation with argument Uj_i = u 

We use the notation ops (y) to denote the sequence of operations associated with y, 
i.e., ops (y) := (op 1; op 2 , . . . , op M ). 

Let A(y) denote the (possibly randomized) sequence of accesses to the remote stor- 
age given the sequence of data requests y. An O-RAM construction is said to be secure if 
for any two data request sequences y and z such that \y\ = \z\, and ops (y) = ops(z), 
their access patterns A(y) and A(z) are computationally indistinguishable by anyone 
but the client. 

2.2 Refationship with the Standard O-RAM Definition 

As mentioned earlier, our modified O-RAM notion is more general than the standard 
O-RAM notion, in the sense that given a modified O-RAM exporting ReadAndRemove 
and Add primitives, we can easily implement a standard O-RAM supporting Read and 
Write operations, as stated in the following observation. 

Observation 1. Given a modified O-RAM as defined above, we can construct a stan- 
dard O-RAM, where a standard Read(u) operation is implemented by the operation 
data <— ReadAndRemove(u) followed by Add(u, data), and a standard Write(u, data) 
operation is implemented by the operation datao <— Read And Remove(u) followed by 
Add(u,data) operation. 

Most existingconstructions EBd based on Goldreich and Ostrovsky’s hierar- 
chical solution jfl] can be easily modified to support the ReadAndRemove and Add 
primitives. 

2.3 Implementing Enriched Semantics 

Implementing the Pop operation from the ReadAndRemove and Add primitives. 

As mentioned earlier, our O-RAM storage is organized into a binary tree over buckets, 
where each bucket is a fully functional O-RAM by itself, referred to as a bucket O-RAM. 
For technical reasons which will become clear in Sectional each bucket O-RAM needs 
to support not only the ReadAndRemove and Add operations (and hence the standard 
O-RAM Read and Write operations), but also a special-purpose operation called PopQ. 

The PopQ operation looks up a real data block and removes it from the O-RAM if 
one exists. Otherwise, it returns a dummy block _L. 

In our online full technical report iHl , we present a constructive proof demonstrating 
that any O-RAM supporting the ReadAndRemove and Add primitives can be modified 
to support the Pop primitive as well; and the Pop operation costs asymptotically the 
same as the basic ReadAndRemove and Add primitives. We state this fact in the fol- 
lowing lemma. 
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Lemma 1 (Additional PopQ operation). Given any O -RAM construction of capacity 
3 N satisfying Definition Q one can construct a new O-RAM of capacity N that not 
only provides a ReadAndRemove(u) and an Add(u,data) primitives (and hence, the 
standard Read(u) and Write(u, data) operations), but also provides a PopQ opera- 
tion, where all operation preserve the asymptotic performance of the original O-RAM. 
Specifically, the PopQ operation selects an arbitrary block that currently exists in the 
O-RAM, reads it back and removes it from the O-RAM. If the O-RAM does not contain 
any real blocks, the Pop operation returns _L. 


2.4 Encryption and Authentication 

Similar to prior work in O-RAM fl, [3 03, El, we assume that all data blocks are 
encrypted using a semantically secure encryption scheme, so that two encryptions of 
the same plaintext cannot be linked. Furthermore, every time a data block is written 
back it is encrypted again using fresh randomness. 

We also assume that the server does not tamper with or modify the data, since au- 
thentication and freshness can be achieved using standard techniques such as Message 
Authentication Codes (MAC), digital signatures, or authenticated data structures. 

2.5 Two Simple O-RAM Constructions with Deterministic Guarantees 

As mentioned earlier, our O-RAM storage is organized into a binary tree over small 
data buckets, where each bucket is a fully functional O-RAM by itself, referred to as a 
bucket O-RAM. 

For technical reasons which will become clear in Section 0 we would like each 
bucket O-RAM to provide deterministic (as opposed to high probability) guarantees. 
Moreover, each bucket O-RAM needs to support non-contiguous block identifier space. 
We consider each block identifier u £ {0, 1}- B , i.e., u can be an arbitrary string, as 
long as u can be described within one block. Furthermore, the set of block identifiers is 
unknown in advanced, but rather, determined dynamically during live operations of the 
bucket O-RAM. As long as the load of the bucket O-RAM never exceeds its capacity, 
the correct functioning of the bucket O-RAM should be guaranteed. 

Below, we present the two candidate bucket O-RAMs constructions, called the trivial 
O-RAM and the Square-Root O-RAM respectively. They are modifications of the trivial 
O-RAM and the Square-Root O-RAM constructions originally proposed by Goldreich 
and Ostrovsky jjj. 

Trivial O-RAM. We can build a trivial O-RAM supporting non-contiguous block iden- 
tifier space in the following way. Let N denote the O-RAM capacity. In the trivial 
O-RAM, the server side has a buffer storing N blocks, where each block is either a real 
block denoted (u, data), or a dummy block denoted _L. 

To perform a ReadAndRemove(u) operation, a client sequentially scans positions 0 
through N — 1 in the server array: if the current block matches identifier u, the client 
remembers its content, and overwrites it with _L; if the current block does not match 
identifier u, the client writes back the original block read. 
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Fig. 1. Server-side storage hierarchy. The server-side O-RAM storage is organized into a binary 
tree over data buckets, where each bucket can hold up to O(loglV) data blocks. A data block 
enters from the root bucket when written to the O-RAM, and then obliviously percolates down 
towards a random leaf over time, until the same block is accessed again. 

To perform an Add(u, data) operation, a client sequentially scans positions 0 through 
N — 1 in the server buffer: the first time the client sees a dummy block, the client 
overwrites it with (u, data); otherwise, the client writes back the original block read. 

As mentioned earlier, whenever blocks are written back to the server, they are re- 
encrypted in order to hide its contents from the server. 

Clearly, the trivial O-RAM is secure, requires O(N) amortized and worst-case cost, 
O(N) server-side storage, and 0(1) client-side storage (since the client never down- 
loads the entire array all at once, but performs the reads and updates in a streaming 
fashion). 

Square-Root O-RAM [6]. Goldreich and Ostrovsky present a Square-Root O-RAM [ 0 ] 
which achieves 0(y/N log N) amortized cost, 0(N log N) worst-case cost, O(N) 
server-side storage, and 0(1) client-side storage. When using the deterministic AKS 
sorting network JJ] to implement the reshuffling operation, the Square-Root O-RAM 
achieves deterministic (as opposed to high probability) guarantees. Although the origi- 
nal Square-Root O-RAM construction supports only contiguous block identifier space, 
it is not too difficult to modify it to support non-contiguous block identifier space, while 
preserving the same asymptotic performance. We defer the detailed description of this 
modified Square-Root O-RAM construction to our online full version JH- 

3 Basic Construction 

3.1 Overview of the Binary Tree Construction 

We first describe a binary-tree based construction, which has two variants. The first 
variant makes use of the trivial bucket O-RAM and has amortized and worst case cost 
0((log IV) 2 ); the second variant makes use of the Square-Root bucket O-RAM and has 
0((log N) 1 - 5 ) amortized cost, and 0((log N) 2 ) worst-case cost. Both variants require 
^ client-side storage, where c > 1 and we assume that the failure probability is 
and the number of operations is M = poly (N), which is reasonable in practice (for 
instance N = 10 6 and M = N 3 = 10 18 ). Later, in Section^ we describe how to apply 
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our O-RAM construction recursively for the client-side storage, to achieve 0(1) client- 
side memory, while incurring a multiplicative factor of 0(log N) to the amortized and 
worst-case costs. 

As mentioned in Section [D the motivation for the binary tree construction is to “in 
spirit” spread across time the reshuffling operations that commonly appear in existing 
constructions BHEm. However, since there is no trivial way to modify existing 
schemes to spread the reshuffling operation, we introduce a completely new technique 
based on the binary tree idea. 

Server-side storage organization. In our construction, the server-side storage is orga- 
nized into a binary tree of depth D := |~log 2 IV] . For ease of explanation, let us assume 
that N is a power of 2 for the time being. In this way, there are exactly N leaf nodes in 
the tree. 

Each node in the tree is a data bucket, which is a self-contained O-RAM of ca- 
pacity 0(log N), henceforth referred to as a bucket O-RAM. For technical reasons de- 
scribed later, each bucket O-RAM must have the following properties: (a) support non- 
contiguous identifier space, (b) support Read And Remove and Add primitives - from 
which we can also implement Read, Write, and Pop primitives as mentioned in Sec- 
tional (c) has zero failure probability!] 

There are two possible candidates for the bucket O-RAM, both of which are mod- 
ifications of simple O-RAM constructions initially proposed by Goldreich and Ostro- 
vsky 0], and described in more detail in Section FT~51 

1 . Trivial O-RAM. Every operation is implemented by a sequential scan of all blocks 
in the server-side storage. For capacity L, the server-side storage is O(L) and the 
cost of each operation (both amortized and worst-case) is O(L). 

2. Square-Root O-RAM 0]. For capacity L, the Square-Root O-RAM achieves 0(1) 
server-side storage, 0(1) client-side storage, 0{yfL\ogL) amortized cost, and 
0(L log L) worst-case cost. 

O-RAM operations. When data blocks are being written to the O-RAM, they are first 
added to the bucket at the root of the tree. As more data blocks are being added to a 
bucket, the bucket’s load will increase. To avoid overflowing the capacity of a bucket O- 
RAM, data blocks residing in any non-leaf bucket are periodically evicted to its children 
buckets. More specifically, eviction is an oblivious protocol between the client and the 
server in which the client reads data blocks from selected buckets and writes each block 
to a child bucket. 

Over time, each block will gradually percolate down a path in the tree towards a 
leaf bucket, until the block is read or written again. Whenever a block is being added 
to the root bucket, it will be logically assigned to a random leaf bucket, indexed by a 
string in {0, 1} D . Henceforth, this data block will gradually percolate down towards the 
designated leaf bucket, until the same data block is read or written again. 

Suppose that at some point, a data block is currently logically assigned to leaf node 
i £ {0, 1} D . This means that a fresh copy of the data block exists somewhere along 
the path from the leaf node l to the root. To find that data block, it suffices to search 

1 It would also be acceptable if a failure probability S per operation would only incur a multi- 
plicative factor of 0(log log i) in the cost. 


206 


E. Shi et al. 


U m m M ^ 
m 



M # m p 
m; '¥ 
s 


m 


Fig. 2. Searching for a data block. A block u is logically associated with a leaf node i at a given 
point time. To look up the block u, it suffices to search every bucket on the path from the leaf 
bucket l to the root bucket (denoted by the shaded buckets in this figure). Every time a block is 
accessed, it will be logically assigned to a fresh random leaf node. 
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Fig. 3. Background evictions with eviction rate v = 2. Upon every data access operation, for each 
depth in the hierarchy, v number of buckets are chosen randomly for eviction during which one 
data block (real or dummy) will be evicted to each of its children. If the bucket is loaded, then 
one real block and one dummy block are evicted. If the bucket is not loaded, two dummy blocks 
are evicted. In this figure, D denotes the eviction of a dummy block, and R denotes the eviction 
of a real block. 


the data block in all buckets on the path from the designated leaf node to the root. We 
assume that when the data block is stored in a bucket, we store the tag i along as well 
and we denote the block’s contents by (data| \l). 

Ensuring security. For security reasons, it is important to ensure the following: 

• Every time a block is accessed, its designated leaf node must be chosen indepen- 
dently at random. This is necessary to ensure that two operations on the same data 
block are completely unlinkable. 

• The bucket sequence accessed during eviction process must reveal no information 
about the load of each bucket, or the data access sequence. In our construction, 
the choice of which buckets to evict from is randomly selected, and independent 
from the load of the bucket, or the data access sequence. Furthermore, whenever a 
bucket is selected for eviction, we always write to both of its children - depending 
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on whether there are real blocks to evict, we would write a real or a dummy block 
to each of its children. 

Client-side index. As each data block will be logically assigned to a random leaf node 
every time it is operated on, we need some data structure to remember where each block 
might be at any point of time. For this reason, the client stores a data structure of size 
Nl( ^ N blocks, in which it records which leaf node is currently associated with each 
block. When B > c log N, this index structure’s size is a linear fraction of the capacity 
of the O-RAM. Therefore, in the basic scheme, we require ^ client-side storage, where 
c> 1. 

However, later in the recursive construction described in Section 0 we show how 
to apply our O-RAM construction recursively over the index structure to achieve 0(1) 
client-side storage. 

A note about dummy blocks and dummy operations. To ensure the security of the 
O-RAM, in our construction, we often rely on dummy blocks and dummy operations to 
hide certain information from the untrusted server, such as whether a bucket is loaded, 
and where in the tree a block is headed. 

For the purpose of this section, we adopt the following notion of dummy blocks 
and dummy operations. We will think of the dummy block as a regular but useless 
data block. We can dedicate a certain block identifier, e.g., u = 0 to serve as the dummy 
block. In this way, we simply deduct 1 from the O-RAM capacity, which does not affect 
the asymptotics. In our construction, every bucket may have a dummy block; while each 
real data block exists in at most one bucket. 

Given the above notion of the dummy block, we can define a dummy O-RAM op- 
eration as a regular operation on the dedicated dummy block with u = 0. A dummy 
O-RAM operation serves no purpose other than ensuring the security of the O-RAM. 
Henceforth, with a slight abuse of notation, we use the symbol _L to denote a dummy 
data block or its identifier. We use the notations Read And Remove(_L), Add (J»|j 
Read(_L) and Write(_L) to denote dummy O-RAM operations. 

3.2 Detailed Construction 

We define some notations in Table El which will be useful in the formal algorithm de- 
scriptions. 

ReadAndRemove operation. The algorithm for performing a ReadAndRemove(u) op- 
eration is described in Figure^] First, the client looks up its local index structure index 
to find out which leaf node £ the requested block u is associated with. We then generate 
a fresh random t* from {0, 1} D and overwrite index[u] <— £*, i.e., block u is henceforth 
associated with a fresh random leaf node l* . Notice that this ensures no linkability be- 
tween two operations on the same data block. In order to avoid extra index lookup for 
any following Add operation, £* is also stored in a global variable state. 

Now, given that u is currently associated with leaf node i , it means that a fresh copy 
of block u must reside in some bucket along the along the path from leaf £ to the root, 
denoted by V(£). If u is found in some bucket, we remove u from that bucket, and 
remember its the data content. Regardless of whether u has been found, we always 
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Table 2. Notations 


D 

rio g2 An 

u <E {0,1,..., iV- 1} 

global identifier of a block 

index 

client’s index structure 

index[u] G {0, 1} U 

id of leaf node associated with block u, initially random 

state 

global variable to avoid unnecessary index lookup 

root 

root bucket of the binary tree 

V(t) 

path from the leaf node l to the root 

Childb(bucket), for b G {0, 1} 

the left or right child of a bucket 

v 

eviction rate 

Uniform Random (S') 

Samples an element uniformly at random from the set S 

UniformRandom l ,(,S') 

Samples a subset of size v uniformly at random from the set S 

_L 

a dummy block or the identifier of a dummy block 


continue our search all the way to the root. Note that to ensure obliviousness, it is 
important that the search does not abort prematurely even after finding block u. Finally, 
if the requested block u has been found, the Read And Remove algorithm returns its data 
contents; otherwise, the Read And Remove algorithm returns _L. 

Add operation. Also shown in Figure^ the Add (u , data) operation reads the tag t from 
state, which was just generated by the preceding ReadAndRemove(u) operation. The 
client writes the intended block (u, data 1 1€) to the root bucket. 

Notice that here the client tags the data with l, i.e., the id of the leaf node that block 
u would be logically associated with until the next operation on block u. The designated 
leaf node tag will become important when we recursively apply our O-RAM over the 
client’s index structure, as described in Section 0 Specifically, the eviction algorithm 
will examine this designated leaf node tag to determine to which child node to evict this 
block. Observe that to preserve the desired asymptotics in the recursive construction, 
the eviction algorithm cannot afford to (recursively) look up the index structure to find 
the designated leaf node for a block. By tagging the data with its designated leaf, the 
eviction algorithm need not perform recursive lookups to the index structure. 

Finally, at the end of every Add operation, the client invokes the background eviction 
process once. We now describe the background eviction algorithm. 

Background evictions. Let v denote the eviction rate. For the purpose of our asymp- 
totic analysis, it suffices to let v = 2. 

Whenever the background eviction algorithm is invoked, the client randomly selects 
v buckets to evict at every depth of the tree. 

If a bucket is selected for eviction, the client pops a block from the bucket O-RAM 
by calling the Pop operation (see Section IPI for how to implement the Pop operation 
given an O-RAM that supports Read And Remove and Write operations). If the bucket 
selected for eviction is loaded, then the Pop operation returns a real block and removes 
that block from the bucket O-RAM; otherwise, if the bucket is not loaded, the Pop 
operation returns a dummy block _L. 

Regardless of whether a real block or a dummy block is returned by the Pop opera- 
tion, the client always performs a write to both children of the selected bucket: 
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ReadAndRemove(u): 

1: t <— UniformRandom({0, 1} D ) 

2: l <— index[u], index[u] <— i* 

3: state <— i* //If an Add operation follows, l* will be used by Add 
4: data <— T, 

5: for each bucket on V(£) do //path from leaf t to root 
6: if ((datao||^o) <— bucket.ReadAndRemove(u)) ^ _L then 

7: data <— datao //Notice that l = to 

8: end if 

9: end for 
10: return data 


Add(u, data): 

I*— state 

2: root.Write(u, data| \t) // Root bucket’ s O-RAM Write operation 

3: Call Evict(i') 

4: return data 


Fig. 4. Algorithms for data access 


1 . If a dummy block is returned by Pop, the client simply performs a dummy write to 
both children buckets. 

2. If a real block is returned, the client examines its designated leaf node tag to figure 
out the correct child node to evict this block to. Recall that this designated leaf node 
tag is added when the block is first written to the root bucket. (Note that although 
in the basic construction, the client can alternatively find out this information by 
looking up its local index structure; later in the recursive construction, the client 
will have to obtain this information through the designated leaf node tag.) 

Now, suppose that the block should be evicted to child b £ {0, 1} of the selected 
bucket, the client then writes the block to child b, and writes a dummy block to 
child 1 — 6. 

Regardless of which case, to ensure obliviousness, the two writes to the children nodes 
must proceed in a predetermined order, e.g., first write a real or dummy block to child 
0, and then write a real or dummy block to child 1 . 

3.3 Security Analysis 

Theorem 1 (Security of Basic Construction). Our Basic O-RAM Construction is se- 
cure in the sense of Definition^ assuming that each bucket O-RAM is also secure. 

Proof Observe that each bucket is itself a secure O-RAM. Hence, it suffices to show 
that each type of operation induces independently the same distribution on the access 
patterns of the buckets in the binary tree, regardless of the arguments. 

For the ReadAndRemove(u) operation, the buckets along the path V(£) from the 
root to the leaf indexed by t = index(u) are accessed. Observe that l is generated 
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Evict(z/): 

1 

for d = 0 to D — 1 do 

2 

Let S denote the set of all buckets at depth d. 

3 

A <— UniformRandom^(S) 

4 

for each bucket £ A do 

5 

(u,data||f) <— bucket. Pop() 

6 

b <— (<i+l)-st bit of l 

7 

blockt <— (u,data||f), blocki_t <— _L 

8 

V6 £ {0, 1} : Childt (bucket) .Write(blocki) 

9 

end for 

10 

end for 


Fig. 5. Background eviction algorithm with eviction rate v 

uniformly at random from {0, 1} D . Hence, the distribution of buckets accessed is the 
buckets along the path to a random leaf. Moreover, each time ReadAndRemove(u) is 
called, a fresh random t* is generated to be stored in index(u) so that the next invocation 
of ReadAndRemove(u) will induce an independent random path of buckets. 

For the Add(u, data) operation, the root bucket is always accessed. More buckets are 
accessed in the Evict subroutine. However, observe that the access pattern of the buckets 
are independent of the configuration of the data structure, namely two random buckets 
at each depth (other than the leaves) are chosen for eviction, followed by accesses to 
both child buckets. 

3.4 Asymptotic Performance of the Basic Construction 

We next analyze the server-side storage and the cost of each operation. If the capacity 
of each bucket is L, the server-side storage is O(NL), because there are O(N) buckets. 
If we use the trivial bucket O-RAM, each operation has cost 0(L log N) . If we use the 
Square-Root bucket O-RAM, each operation has amortized cost 0(yfL\ogL\og N) 
and worst case cost 0(L log L log N). 

We prove the following lemma in Appendix El 

Lemma 2 (Each Bucket Has Small Load). Let 0 < S < For a fixed time and a 
fixed bucket, the probability that the bucket has load more than log 2 i is at most 6. 

Applying Union Bound on Lemma 0 over all buckets and over all time steps, we 
have the following result. 

Lemma 3 (Bucket Overflow). Suppose 0 < 5 < 1 and N,M > 10. Then, one can 
use bucket O-RAM with capacity 0(log such that with probability at least 1 — 5, 
the Basic O-RAM Construction can support M operations without any bucket overflow. 

Lemma 0 gives an upper bound on the capacity of each bucket and from the above 
discussion, we have the following result. 

Corollary 1. The Basic O-RAM Construction can support M operations with failure 
probability at most S using 0{N log server-side storage and 0( N k ^f N ) client- 
side storage. The cost of each operation is as follows: 
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Bucket O-RAM 

Amortized 

Worst-case 

Trivial 

O(logiVlog^) 

O(loglVlog^) 

Square-Root 

O(logA^log^loglog^) 

O(logAlog^loglog^) 


Specifically, if the number of data access requests M = poly(N), then the basic con- 
struction with the trivial bucket O-RAM achieves 0((log N) 2 ) amortized and worst- 
case cost; and the basic construction with the Square-Root bucket O-RAM achieves 
0((log iV )) 1 " 5 amortized cost, and 0((log N) 2 ) worst-case cost. Furthermore, no buck- 
ets will overflow with probability 1 — pol ^ . 


4 Recursive Construction and How to Achieve the Desired 
Asymptotics 

The basic construction described in Sectional achieves poly-logarithmic amortized and 
worst-case cost, but requires ^ client-side storage, where c = lo ^ N > 1. 

In this section, we demonstrate how to recursively apply our O-RAM construction 
to the client’s index structure to achieve 0(1) client-side storage, while incurring an 
0(log N ) multiplicative factor in terms of the amortized and worst-case cost. 


4.1 Recursive O-RAM Construction: 0(1) Client-Side Storage 

Storing the index through recursion. In the basic construction, the client’s index 
structure takes up at most N1 ^ N , < A space, where B > clog A. To achieve 0(1) 
client-side storage, we recursively apply our O-RAM over the index structure. Instead 
of storing the index structure on the client, we store the index structure in a separate 
O-RAM on the server side. At each step of the recursion, we effectively compress the 
O-RAM capacity by a factor of c > 1. Therefore, after log c N levels of recursion, the 
index structure will be reduced to constant size. 

To see how the recursion can be achieved, notice that LineElof the ReadAndRemove 
algorithm in Figure0can be replaced with a recursive O-RAM operation: 

O-RAM. Write(block_id(index[u]),^*) 

Here we have a slight abuse of notation, because in reality, the entry index[u] (stored 
sequentially according to u) resides in a larger block identified by block_id(index[u]), 
and one would have to first read that block, update the corresponding entry with £'*, and 
then write the updated block back. 

Theorem 2 (Recursive O-RAM Construction). The Recursive O-RAM Construction 
can support M operations with failure probability at most S using 0(N log ^j^-) server- 
side storage and 0(1) client-side storage, and the cost of each operation is as follows: 
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Bucket ORAM 

Amortized 

Worst-case 

Trivial 

0(\og c N log N log 

0(log c N log N log ^A) 

Square-Root 

O (log c N log NyJ log ^ log log ^ ) 

O (log c N log N log IdfL log log ) 


Specifically, if the number of data access requests M = poly(N), then the recur- 
sive construction with the trivial bucket O -RAM achieves 0((logN) 3 ) amortized and 
worst-case cost; and the recursive construction with the Square-Root bucket O-RAM 
achieves 0((log TV )) 2 ' 5 amortized cost, and 0((log N) 3 ) worst-case cost. Further- 
more, no buckets will overflow with probability 1 — po iy( N ) ■ 

Proof The 0(1) client-side storage is immediate, due to the fact that all client-side 
storage (including the state variable in Figured and the shuffling buffer for the Square- 
Root bucket O-RAM) is transient state rather than persistent state, and therefore, all 
levels of recursion can share the same 0 ( 1 ) client-side storage. 

Observe that for each j = 0,1,..., [log c N~\ , the jth recursion produces a binary 
tree with 0()j) buckets. Hence, there are totally OQP^q fj) = O(N) buckets. 

Recall that by Theorem 0 for each bucket and at the end of each operation, with 
probability at least 77, the load of the bucket is at most log 2 -. Since there are 0(N) 
buckets and M operations, we need to set 77 = Oi jrjf ) to apply the Union Bound such 
that the overall failure probability (due to bucket overflow) is at most S. It follows that 
the capacity of each bucket is L = 0(log and hence the server-side storage is 
O(NL) = 0(N log yf). 

Moreover, each operation on the Recursive O-RAM induces 0(log ~) operations on 
the bucket O-RAMs in the 7 th binary tree. Hence, the total number of bucket O-RAM 
accesses is Z = O(J2 j>0 ^°& ) = 0(log c NlogN). 

If we use the trivial bucket O-RAM, each operation has cost O(ZL). 

If we use the Square-Root bucket O-RAM, the amortized cost is 0(Z\[L log L) and 
the worst-case cost is 0(ZL log L), as required. 

Remark 1. Observe that the BST O-RAM construction by Damgard, Meldgaard, and 
Nielsen 0] for capacity L has client storage 0(1), server storage 0(L log L), amortized 
cost 0 ((log L) a ) and worst-case cost 0 ((logI/) b ), where a and b are small integers. 
Hence, if we use the BST construction for out bucket O-RAM, the amortized cost of 
ourbinary scheme can be improved to 0(log c Alog iV(log = 0((log N)' 2 ) and 

the worst-case cost to 0(log c A’ log TV log (log log ^-) b ) = 0((log N) 3 ), where 

M = poly(A r ) and S = , while the server storage cost is 0(N log N) . 
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Appendices 

A Bounding the Load of Each Bucket 

In this section, we prove the following high probability statement for bounding the load 
in each bucket. 

Theorem 3 (Each Bucket Has Small Load). Let 0 < 8 < ^ . For a fixed time and a 
fixed bucket, the probability that the bucket has load more than log 2 y is at most 8. 

Recall that the number of levels is L := [log 2 N ] . We analyze the load according to 
the depth i of the bucket. 

A.l Bounding the Load for Levels 0 to L — 1 with Markov Process 

Observe that in our scheme, when a block inside some bucket is accessed, the block is 
removed from the bucket. However, for the purpose of analysis, we assume that a block 
stays inside its bucket when it is accessed, i.e., a block can leave a bucket only when the 
bucket is chosen for eviction; moreover, since we are only concerned about the load of a 
bucket, for simplicity we also assume that the blocks arriving at a bucket are all distinct. 
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The load of a bucket in our scheme is always bounded above by the corresponding load 
in the modified process, which we analyze using a Markov process. If we assume that 
a bucket is initially empty, then its load will be stochastically dominated by the load 
under the stationary distribution. 

Defining Markov Process Q{a , 0). Given 0 < a < 0 < 1, we describe a Markov pro- 
cess Q{a, 0) with non-negative integral states as follows. In order to illustrate the rela- 
tionship between the Markov process and the load of a bucket, we define Q(a, 0) using 
the terminology related to the bucket. The state of the Markov process corresponds to 
the current load of a bucket. At any time step, the following happens independently of 
any past events in the specified order: 

(a) With probability a, a block arrives at the bucket. 

(b) If the load of the bucket is non-zero (maybe because a block has just arrived), then 
with probability 0 a block departs from the bucket. 

Recall that when a block departs from a depth-* bucket, it arrives at one of the two 
depth- (i + 1) child buckets uniformly at random. 

Example. We immediately see that the root bucket is modeled by <2(1, 1) and a depth- 
1 bucket is modeled by Q(|, 1). Both cases are trivial because the load at the end of 
every time step is zero. One can see that at every time step a block arrives at one of the 
four depth-2 buckets uniformly at random and two out of the four buckets are chosen 
for eviction every step. Hence, each of the depth-2 buckets can be modeled by Q( j, |). 
Using a classic queuing theory result by Hsu and Burke 0 ] we can show that at further 
depths, a block leaves a bucket with some fixed probability at every time step, so that 
independent arrivals are satisfied at the child buckets. 

Corollary 2 (Load of an Internal Bucket). For 2 < i < L, under the stationary 
distribution, the probability that a depth-i bucket has load at least s is at most p\ < d-; 
in particular, for 0 < S < 1, with probability at least 1 — 5, its load is at most log 2 y. 

Proof. The proof builds on top of a classic queuing theory result by Hsu and Burke 0 ], 
Full proof is provide in our online technical report 0 . 

A.2 Bounding the Load of Level L with “Balls into Bins” 

Observe that a block residing at a depth-L bucket traversed a random path from the root 
bucket to a random leaf bucket. Hence, given that a block is at depth L, the block is 
in one of the leaf buckets uniformly at random. Hence, to give an upper bound on the 
load of a leaf bucket at any single time step, we can imagine that each of the N blocks 
is placed independently in one of the leaf buckets uniformly at random. This can be 
analyzed by the well-known “Balls into Bins” process. 

Corollary 3 (Load of a Leaf Bucket). For each time step, for 0 < S < 557, with 
probability at least 1 — 5, a leaf bucket has load at most log 2 i. 

Proof. Using standard balls and bins analysis 0 . Full proof will be supplied in online 
technical report 0 . 
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Abstract. Differential Privacy (DP) has emerged as a formal, flexible 
framework for privacy protection, with a guarantee that is agnostic to 
auxiliary information and that admits simple rules for composition. Ben- 
efits notwithstanding, a major drawback of DP is that it provides noisjQ 
responses to queries, making it unsuitable for many applications. We pro- 
pose a new notion called Noiseless Privacy that provides exact answers 
to queries, without adding any noise whatsoever. While the form of our 
guarantee is similar to DP, where the privacy comes from is very differ- 
ent, based on statistical assumptions on the data and on restrictions to 
the auxiliary information available to the adversary. We present a first 
set of results for Noiseless Privacy of arbitrary Boolean-function queries 
and of linear Real-function queries, when data are drawn independently, 
from nearly-uniform and Gaussian distributions respectively. We also de- 
rive simple rules for composition under models of dynamically changing 


1 Introduction 

Developing a mathematically sound notion of privacy is a difficult problem. Sev- 
eral definitions for database privacy have been proposed over the years, many of 
which were subsequently broken. For example, methods like fc-anonymity [Swe02j 
and ^-diversity jMGKV()6j are vulnerable to simple, practical attacks that can 
breach privacy of individual records |(f KSOSj . In 2006, Dwork et al. [DM NSOfij 
made significant strides toward formal specification of privacy guarantees by in- 
troducing an information-theoretic notion called Differential Privacy (DP). For 
a detailed survey on DP see [Dwo08j . 

Definition 1 (e-Differential Privacy [DMJNS06j l. A randomized algorithm 
A is e- differentially private if for all databases T, T' G V n differing in at most 
one record and all events O C Range(A), Pr[A(T) gO]< e e Pv[A{T') G O] . 

1 By noise we broadly refer to any external randomization introduced in the output 
by the privacy mechanism. 

D.H. Lee and X. Wang (Eds.): ASIACRYPT 2011, LNCS 7073, pp. 215 [~232l 2011. 
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DP provides a flexible framework for privacy protection based on mechanisms 
that provide noisy responses to the database queries. The amount of noise in- 
troduced in the query-response is: 1) Independent of the actual data entries, 2) 
Based on the sensitivity of the query to “arbitrary” change of a small number 
of entries in the data, and 3) Agnostic to the auxiliary information available to 
the adversary. Their benefits notwithstanding, these properties of DP also result 
in high le vels of nois e in the DP output, oftentimes leading to unusable query 
responses |MKA + fl8j . Several applications, in fact, completely breakdown when 
even the slightest amount of noise is added to the output (For example, dur- 
ing a financial audit, noisy query-responses may reveal inconsistencies that may 
be wrongly interpreted as fraud). Besides, when transitioning from a noise-free 
regime, to incorporate privacy guarantees, the query-response mechanism must 
be re-programmed (to inject a calibrated amount of noise) and the mechanism 
consuming the DP output must be re-analyzed for its utility/effectiveness (since 
it must now operate on noisy, rather than exact, query-responses). Hence, the 
addition of noise to query-responses in the DP framework can be a major barrier 
to the adoption of DP in practice. Moreover, it is unclear if the DP guarantee 
(or for that matter, if any privacy guarantee) can provide meaningful privacy 
protection when the adversary has access to arbitrary auxiliary information. On 
the positive side, however, the structure of the DP guarantee makes it easy to 
derive simple rules of composition under multiple queries. 

Noiseless Privacy: In this paper, we propose a new, also information- 
theoretic, notion of privacy called Noiseless Privacy that provides exact answers 
to database queries, without adding any noise whatsoever. While the form of 
our guarantee is similar to DP, where the privacy comes from is very different, 
and is based on: 1) A statistical (generative) model assumption for the database, 
2) Restrictions on the kinds of auxiliary information available to the adversary. 
Both these assumptions are reasonable in many real-world settings; the former 
is, e.g., commonly used in machine learning, while the latter is natural when 
data is collected from a diverse network/collection of sources (e.g., from users of 
the world-wide web). 

Consider an entry t* in the database and two possible values a and b which it 
can take. Noiseless Privacy simply requires that the probability of the output (or 
the vector of outputs in-case of multiple queries) lying in a certain measurable set 
remains similar whether i* takes value a or b. Here, the probability is taken over 
the choice of the database (coming from a certain distribution) and is conditioned 
on the auxiliary information (present with the adversary) about the database. 
See Definition |2| for formal details. 

While the DP framework makes no assumptions about the data distribution 
or the auxiliary information available to the adversary, it requires the addition 
of external noise to query-responses. By contrast, in Noiseless Privacy, we study 
the privacy implications of providing noise- free responses to queries, but under 
assumptions governing the data distribution and limited auxiliary information. 

At this point, we do not know how widely our privacy framework will be 
applicable in real systems. However, whenever privacy can be obtained in our 
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framework (and our work shows there are significant non-trivial cases where 
Noiseless Privacy can be achieved) it comes for “free.” Another practical benefit 
is that no changes are needed in the query-response or response-consumption 
mechanisms, only an analysis to “okay the system” to establish the necessary 
privacy guarantees is required. Moving forward, we believe that checking the 
feasibility of Noiseless Privacy is a useful first-step when designing privacy- 
preserving systems. Only when sufficient intrinsic entropy in the data cannot 
be established, do we need external noise-injection in the query-responses. This 
way, we would pay for privacy only when strictly necessary. 

Our Results: In this work, we study certain types of boolean and real queries 
and show natural (and well understood) conditions under which Noiseless Pri- 
vacy can be obtained with good parameters. We first focus on the (single) 
boolean query setting; i.e., the entries of the database as well as the query 
output have one bit of information each, with no auxiliary information avail- 
able to the adversary. Our starting assumption is that each bit of the database 
is independently drawn from the uniform distribution (this assumption can be 
partially relaxed; see Section E|) . We show that functions which are sufficiently 
“far” away from both 0-junta and 1-junta function^ satisfy Noiseless Privacy 
with “good” parameters. Note that functions which are close to either 0-junta or 
1-junta do not represent an “aggregate statistic” of the database (which should 
depend on a large number of database entries) . Hence, in real systems releasing 
some aggregate information about the database, we do expect such a condition 
to be naturally satisfied. Our proof of this theorem is rather intuitive and inter- 
estingly shows that these two (well understood) characteristics of the boolean 
functions are the only ones on which the privacy parameter depends. We extend 
our result to the case when the adversary has auxiliary information about some 
records in the database. 

For functions over the reals with real outputs, we study two types of func- 
tions: (a) linear functions (i.e., where the output is a linear combination of the 
rows of the database), and, (b) sum of arbitrary functions of the database rows. 
These functions together cover a large class of aggregation functions that can 
support various data mining and machine learning tasks in the real-world. We 
show natural conditions on the database distribution for which Noiseless Privacy 
can be obtained with good parameters, even when the adversary has auxiliary 
information about some constant fraction of the dataset. We refer the reader to 
section ETTI for more details. 

Multiple Queries: The above results are for the case where the adversary 
is allowed to ask a single query, except for the case of linear real queries, where 
we have a result for multiple queries. In general, achieving composition in the 
Noiseless Privacy framework is tricky and privacy can completely breakdown 
even given a response to two different (carefully crafted) queries. The reason why 
such a composition is difficult to obtain in our setting is the lack of independence 
between the responses to the queries; the queries operate on the same database 


2 Roughly, an i-junta function is one which depends only upon i of the total input 
variables. 
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and might have complex interdependence on each other to enable an entry of 
the database to be deduced fully given the responses. 

To break such interdependence in our setting, we introduce what we call the 
changing database model; we assume that between any two queries, a nontrivial 
fraction of the database has been “refreshed” . The newly added entries (which 
may either replace some existing entries or be in addition to the existing entries) 
are independent of the old entries already present in the database. This helps 
us maintain some weak independence between different queries. We note that 
the setting of the changing database model is not unrealistic. Consider an or- 
ganization that participates in a yearly industry-wide salary survey, where each 
organization submits relevant statistics about the salaries of its employees to 
some market research firms. A key requirement in such surveys is to maintain 
anonymity of its employees (and only give salary statistics based on the depart- 
ment, years of experience, etc.). A reasonable assumption in this setting is that 
a constant fraction of the employees will change every year (i.e., if the attrition 
rate of a firm is five percent, then roughly five percent of the entries can be 
expected to be refreshed every year). Apart from the above example, there are 
various other scenarios where the changing database model is realistic (i.e., when 
one is dealing with streaming data, data with a time window, etc.). Under such 
changing database model, we provide generalizations of our boolean as well as 
real query theorems to the case of multiple queries. 

We also present other interesting results like obtaining Noiseless Privacy for 
symmetric boolean functions, “decomposable” functions, etc. In some cases, we 
in fact show positive results for Noiseless Privacy under multiple queries even in 
the static database model. 

Future Work: Our works opens up an interesting direction for research in 
the area of database privacy. An obvious line to pursue is to expand the classes of 
functions and data distributions for which Noiseless Privacy can be achieved. Re- 
laxing the independence assumption that our current results make on database 
records is another important topic. There is also scope to explore alternative 
ways of specifying the auxiliary information available to the adversary. In gen- 
eral, we believe that developing new techniques for analyzing statistical queries 
for Noiseless Privacy is an important direction of privacy research, that must 
go hand-in-hand with efforts toward new, more clever ways of adding smaller 
amounts of noise to achieve Differential Privacy. 

Related Works: The line of works most related to ours is that of query au- 
diting (see |KMM)5| and jNMK+06] ) where, given a database T = (t\, ■ ■ ■ . t n ) 
with real entries, a query auditor makes a decision as to whether or not a par- 
ticular query can be answered. If the auditor decides to answer the query, then 
the answer is output without adding any noise. Since the decision of whether 
to answer a query can itself leak information about the database, the decision 
is randomized. This randomization can be viewed as injection of some form of 
noise into the query response. However, on the positive side, if a decision is made 
to answer the query, the answer never contains any noise, which is in harmony 
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with the motivation of our present work. See our full version jBBG + 1 ll for a 
more detailed comparison of our work to this and other related works. 


2 Our Privacy Notion 


In our present work, we investigate the possibility of guaranteeing privacy with- 
out adding any external noise. The main idea is to look for (and systematically 
categorize) query functions which under certain assumptions on the data gener- 
ating distribution are inherently private (under our formal notion of privacy that 
we define shortly). Since, the output of the function itself is inherently private, 
there is no need to inject external noise. As a result the output of the function 
has no utility degradation. Formally, we define our new notion of privacy (called 
Noiseless Privacy ) as follows: 

Definition 2 (e-Noiseless Privacy). Let T> be the domain from which the 
entries of the database are drawn. A deterministic query function f : V n —> y is 
e-noiseless private under a distribution D on T> n and some auxiliary information 
Aux (which the adversary might have), if for all measurable sets O C y, for all 
t G [n] and for all a, a' G T>, 

Pr [/(T) G 0\U = a, Aux] < e e Pi : [f(T) G 0\t t = a', Aux] 
where ti is the l-th entry of the database T. 

In comparison to Definition d the present definition differs at least in the 
following aspects, namely: 

— unlike in Definition d it is possible for a non-trivial deterministic function / 
to satisfy Definition d with reasonable e. For e.g., XOR of all the bits of a 
boolean database (where each entry of the database is an unbiased random 
bit) satisfies Definition d with e = 0 where as Definition d is not satisfied for 
any finite e. 

— the privacy guarantee of Definition d's under a specific distribution D, where 
as Definition d is agnostic to any distributional assumption on the database. 

— the privacy guarantee of Definition d is w.r.t. an auxiliary information Aux 
whereas differential privacy is oblivious to auxiliary information. 


Intuitively, the above definition captures the change in adversary’s belief about 
a particular output in the range of / in the presence or absence of a particular 
entry in the database. A comparable (and seemingly more direct) notion is to 
capture the change in adversary’s belief about a particular entry before and after 
seeing the output. Formally, 


Definition 3 (e-Aposteriori Noiseless Privacy). A deterministic query fun- 
ction f : V n — *■ y is e-Aposteriori Noiseless Private under a distribution D on 
V n and some auxiliary information Aux, if for all measurable sets O C y, for 
all l G [n] and for all a G £>, 


where ti is the l-th entry of the database T. 
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The following fact shows that Definition [3 implies Definition 0 and vice versa 
with at most two times degradation in the privacy parameter e. See the full 
version jBBG+llj for the proof. 

Fact 1. A query function f satisfies Definition 0 under a database generating 
distribution D and auxiliary information Aux, if and only if it satisfies Defi- 
nition fB under the same distribution D and same auxiliary information Aux. 
There is a possible deterioration of the privacy parameter e by at most a factor 
of two in either direction. 

Hereafter, we will use Definition |2|as our defintion of Noiseless Privacy. We also 
introduce a relaxed notion of Noiseless Privacy called (e, d)-Noiseless Privacy, 
where with a small probability <5 the e-Noiseless Privacy does not hold. Here, the 
probability is taken over the choice of the database and the two possible values for 
the database entry in question. While for a strong privacy guarantee a negligible 
6 is desirable, a non-negligible 6 may be tolerable in certain applications. The 
following definition captures this notion formally. 

Definition 4 ((e, 5)-Noiseless Privacy). Let f : V n — > y be a deterministic 
query function on a database of length n drawn from domain V. Let D be a 
distribution on V n . Let Si ^y and S 2 C V be two sets such that for all j G [n], 
P Tt~d[/(T) G Si] + Pr r~D[tj € S 2 ] < d, where tj is the j-th entry ofT. 

The function f is said to be ( e,S)-Noiseless Private under distribution D and 
some auxiliary information Aux, if there exists Si, S 2 as defined above such that, 
for all measurable sets O C y — Si, for all a, a' £V — S 2 , and for all l G [n] the 
following holds: 

PrJf(T) G 0\t t = a, Aux] < e e PrJ_f(T) G 0\t t = a', Aux] 

One kind of auxiliary information (Aux) that we will consider is partial in- 
formation about some subset of entries of the database ( i.e . partial disclosure). 
But often, it is easier to analyze the privacy when Aux corresponds to a full 
disclosure (complete revelation) of a subset of entries rather than partial dis- 
closure because it may be difficult to characterize the corresponding conditional 
probabilities. The following result shows that the privacy degradation when Aux 
corresponds to a partial disclosure of information about a subset of entries can 
never be worse than the privacy degradation under full disclosure of the same 
set of entries. 

Theorem 1 (Auxiliary Information) . Consider a database T and a query 
function /(•) over T. Let A v denote some partial information regarding some 
fixed (but typically unknown to the mechanism) subset T' c T. Let Af denote the 
corresponding full information about the entries ofT' . If f(T) is ( e,S)-Noiseless 
Private under (every possible value of) the auxiliary information Af (full dis- 
closure) provided to the adversary, then it is also (e, 6) -Noiseless Private under 
auxiliary information Ap (partial disclosure). 
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Sketch of the proof: 

The partial information A p induces a distribution over the space of possible 
full disclosures Af. Using the law of total probability, we can write 

Pr [/(T) g 0\t t = a, A,] = / Pr \f(T) g 0\t t = a,A f ] dF(A f \A p ,t e = a) 

T~D J Af T~D 

(1) 

where F(Af\A p ,te = a) denotes the conditional distribution for Af given A p and 
[te = a]. Since f(T) is (e, <5)-Noiseless Private given Af, there exist appropriate 
sets Si and S 2 (see Definition [7| with Pr T^n[f(T) S Si] + Pr T~o[tj G S 2 ] < 6 
such that, for all measurable sets O C y — Si, for all a. a' eV — S 2 , and for all 
i g [n] we have 

P^t/CT) G = a, A f ] < e € Pr^[f(T) g 0\U = a', A/] (2) 

The conditional distribution on F given A p and te in 0 is in fact independent 
of te (since we can only argue about the privacy of the I th entry of T if it 
has not been already disclosed fully in Af). Now, since F(Af\Ap,te = a ) = 
F(A f \Ap,te = o,'), we can integrate both sides of 0 with respect to the same 
distribution and obtain, for the same sets Si and S 2 as in 0: 

t PtJ/(T) g 0\t e = a, A p \ < e* ^[/(T) g 0\t e = a 1 , A p ] (3) 

This completes the proof. 

Composability. In many applications, privacy has to be achieved under multi- 
ple (partial) disclosures of the database. For instance, in database applications, 
several thousand user queries about the database entries are answered in a day. 
Thus, a general result which tells how the privacy guarantee changes (typically 
degrades) as more and more queries are answered is very useful and is referred 
to as composability of privacy under multiple queries. While in some scenarios 
(eg. streaming applications) the database can change in between queries (dy- 
namic database), in other scenarios it remains the same (static database). Also, 
the queries can be of different types or multiple instances of the same type. 
As mentioned earlier, in Differential Privacy, the privacy guarantees degrade 
exponentially with the number of queries on a static database. The notion of 
Noiseless Privacy often fails to compose in the presence of multiple queries on a 
static database (an exception to this is given in Section 14.211 . But we do present 
several composability results for multiple queries under dynamic databases. 

Dynamic databases may arise in practical scenarios in several ways: (a) Grow- 
ing database model: Here the database keeps growing with time, e.g. database 
of all registered cars. Thus, in-between subsequent releases of information, the 
database grows by some number k, (b) Streaming model: This is the more com- 
monly encountered scenario, where the availability of limited memory/storage 
causes the replacement of some old data with new one. Thus, at the time of each 
query the database has some k new entries out of the total (fixed) n , and (c) 
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Random replacement model: A good generalization of the above two models, it 
replaces randomly chosen k entries from the database of size n with the new 
incoming entries. 

In all the above models of dynamic databases, we assume that the number 
of new elements form a constant fraction of the database. In particular, if n 
is the current database size, then some pn, (0 < p < 1) number of entries are 
old and the remaining k = (1 — p)n entries are new. Our main result about 
composability of Noiseless Privacy holds for any query which has (e, <5)-Noiseless 
Privacy under any auxiliary information about at most pn , (0 < p < 1) elements 
of the database. Note that in the growing database model, the size of the largest 
database on which the query is made is assumed to be n and the maximum 
fraction of old entries is p. 

Theorem 2 (Composition). Consider a sequence ofm queries, fi(-), i G [m], 
over dynamically changing data, such that, the i th query operates on the subset 
Ti of data elements. For each i> 2, letTi share no more than a constant fraction 
p, (0 < p < 1) of elements with U#<iTp (i.e., all except p fraction of the elements 
in the database are new). If every query fi(Ti), individually, is ( ei,5i)-Noiseless 
Private under the release of auxiliary information about a constant fraction p 
of elements in Ti, then the sequence of queries is EHi Hi Y^hLi Si)-Noiseless 
Private over the entire data. 

Sketch of the proof: 

To assess the privacy of the I th element A, we write down the following prob- 
ability: 


Pf D [fl(T$ i Ot, . . . , eO m \U = a\= Px D [ft (Ti) e<D 1 \t l = a] 

x ft £ Oi | /r(Tr) G O a , . . . , it-i (D_ x ) g O f _ t , t t = a] (4) 

Since Ti shares at most a constant fraction p of elements with ytgt<jTj', the 
sequence of query responses (/i(Ti), . . . , /j_i(Tj_i)), can be thought of as re- 
vealing auxiliary (possibly partial) information about at most p fraction of el- 
ements in Ti. Under such auxiliary leakage, we are given that fi{Tf) is (e l , AO- 
Noiseless Private, i.e., there exist appropriate sets S\ and S\ (see Definition ^|) 
with Pr T~D[f(T) e S[] + Pr T~o[tj G 5J] < Si such that, for all measurable sets 
Ocy-Si, for all a, a! £V- £%, we have 

Pr D [fi(.T t ) 6 0, | h (TO 6 0: fi-iiTi-x) G Oi-utt = a] 

< ?J D [fi(Ti) £ Oi | /i(Tr) G Ox , . . . , fi-x(T^x) £ x,U = a'] (5) 

Setting Si = Uj S\ and Sz = UiS^ we have Pr T~D[f(T) G S , i]+Prj'^£)[tj G Si]< 
Y)JiLi d'i' an d using © for each of the m terms in the RHS of © we get, for all 
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measurable sets Oi C y — Si, for all a, a' eV — S 2 , 

PrJMTi) eOl,..., fm(T m ) e O rn \u = a\ 

< e &Oi,...,f m (T m )eO m \U = a'} (6) 

This completes the proof. See the full version |RRO + 1 1| for other results under 
multiple queries. 

3 Boolean Queries 

In this section we study queries of the form / : T — > {0,1}, i. e. , the query 
function / acts on a database T e T> n , where T> is the domain from which the 
data entries are drawn. 

3.1 The No Auxiliary Information Setting 

We first study a simple and clean setting: the database entries are all drawn 
independently and the adversary has no auxiliary information about them. We 
discuss generalizations later on. Refore we get into the details of privacy friendly 
functions under our setting, we need some of the terminologies from analysis of 
boolean functions literature. 

Definition 5 (/c-junta |KLM + 09| b A function f : {0, 1}" — > {0, 1} is said to 
be k-junta if it depends only on some subset of the n coordinates of size k . 

Definition 6 ((1 — r)-far from fc- junta). Let IF be the class of all k-junta fun- 
ctions f : {0,1}” — > {0,1} and let D be a distribution on {0,1}". A function 
f : {0, 1}" — > {0, 1} is (1 — r)-far from k-junta under D if 

mgc | PjJfiT) = f(T) } - t Pi b [f(T) ± /'(T)j | = r 

It is easy to see that when D is a uniform distribution over n-bits, a /c-junta is 
0-far from the class of fc-juntas and the parity function is 1-far from the class of 
all 1-juntas. 

The theorem below is for the setting where the adversary has no auxiliary 
information about the database. Later on in this section, we show how to handle 
the case when the adversary may have a subset of the database entries. 

Theorem 3. Let D be an arbitrary distribution over {0, 1}" such that the marg- 
inal probability of the i — th bit equaling 1 is pi. Let f : {0,1}" — > {0,1} be a 
boolean function which is (1 — Ti)-far from 0-junta and (1 — Tf)-far from 1-junta 
under D. If Tl jj T2 < min ie [„] pi and max ie [„] Pi <1— Tl ~^ T2 , then f is 
(maxj £ [n] max {in , In }) -Noiseless Private. 

Proof. Please refer to jRRC+m for the proof. 
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Note that in the above theorem we do not assume independence among the 
entries in T. As a result we can handle databases with correlated entries. It is 
also worth mentioning here that all the other results in this section assume the 
entries in the database to be uncorrelated. 

To get some more insight into the result let us consider f(T) to be the XOR 
of all the bits of T. Let T be drawn from the uniform distribution. Then / is 1-far 
from both a 0-junta and a 1-junta. Hence, / is O-Noiseless Private. Instead of the 
XOR, if we let / be the AND function, then we see that it is just 1 — 2 „ 1 _i -far 
from a 0-junta. The ratio in this case becomes oo, which shows AND is not a very 
good function for providing e-Noiseless Privacy for small e. This is indeed the case 
because Pr t[/(T) = 1|T = 0] =0 for all i. However, we can capture functions 
like AND if we try to guarantee (e, <5)-Noiseless Privacy. If we fix 5 = ^ (which 
is basically the probability of the AND function yielding 1), we get (0, ^r)- 
Noiseless Privacy for AND. This property is in fact not specific to AND. In 
fact one can easily guarantee (e, dj-Noiseless Privacy for any symmetric boolean 
functions (i.e., the functions whose output does not change on any permutation 
of the input bits). We will discuss this result in a more general setting later. 


3.2 Handling Auxiliary Information 

We now study the setting where the adversary may have auxiliary information 
about a subset of the entries in the database. We study the privacy of the entries 
about whom the adversary has no auxiliary information. 


Theorem 4. Let D be the distribution over {0, 1}” where the i — th bit is chosen 
to be 1 independently with probability Pi. Let f : {0, l} n — > {0,1} be a boolean 
function which is (1 — 2 B)-far away from d + 1 junta, that is, for any function g 
that depends only on a subset S ofU = [n] of size d+1, \Pr[f(U) = g(S)]— 1/2| < 
B. Let T be a database drawn from D and let r be any adversarially chosen 
subset of variables that has been leaked with |T| = d. If y < min j 6 [ n ]Pi and 


*/max ie [ n ]Pi < 1 — j , then function f is (maxj 6 [ n ]_ r (max 




(■-kAjt)}) 


,25) -Noiseless Private with respect to the bit ti £ T, where 


i£[n]-r. 


Proof. We analyze the ratio given that T = t is such that \Prn[f(R\ \t) = 0] — 
1/2| < B/S and \Prn[f(R\\t) = t 7 ] — 1/2| < B/S. This happens with probability 
at least 1 — 5 — 5 ~ 1 — 2 5. The proof is as follows. Here the notation f?| \t refers 
to a database formed by combining R and t. 


Lemma 1. Let the underlying distribution be an arbitrary D where each bit is 
1 independently with probability Pi. Under D, let f be far away from d junta, 
that is for any function g that depends only on a subset S ( with IS) = d) of 
U = [n], \Pro[f{U) = g(S)] — 1/2| < A. Let T be a database drawn from D 
and let r (with |P| = d) be any adversarial subset of entries of T that has been 
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leaked. Then, with probability at least 1 — 6 over the choice of assignments t to 
T, \PrR[f(R\\t) = 0] — 1/2| < A/S. 

Proof. Let T C U = [n], T = d, be the set of indices leaked. Note that we 
use r to represent both the indices and the variables itself. Let R = [n] — /’. 
We prove the lemma by contradiction. Suppose the claim is wrong. That is, 
with probability at least 6 over T, \Prn[f(R\\t) = 0] — 1/2| > A/ 6 . Construct 
g : {0, l} d — > {0, 1} as follows. 



Observe that g just depends on d variables. We shall now show predictability 
of f using g which contradicts farness from d junta. Let us evaluate Pr[f(U) = 
g(r)]. To that end, we partition the assignments t to T into three sets, Si,S 2 
and S 3 . Si is the set of t such that Prii[f(R\\t) = 0] > 1/2 + A/ 6 , S 2 is the 
set of t such that PrR,[f(R\\t) = 0] < 1/2 — A /6 and S 3 is the set of remaining 
assignments. Now, from our assumption, we are given that Pr[T £ Si U S 2 ] > 6 . 
Also, it is easy to observe that for any t, Prn[f(R\ \ t) = g(t)\ > 1/2 by the choice 
of g. Now, we lower bound Pr[f(U) = S , (T)]. 


Pr[f(U) = g(r )] = E r Pr R [f(R\\r) = g(r )] 

>Pr[r&Si\{l/2 + A/6) 

+Pr[r e S 2 ](l/2 + A/6) + Pr[r g S 3 ] (1/2) 

> 1/2 + {A/ 6) Pr[r € Si U S 2 ] 

> 1/2 + A 


This leads to a contradiction. 

Lemma 2. Let D be a distribution over {0, 1}” where each bit is 1 indepen- 
dently with probability pi. Under D, let f be far away from d junta, that is for 
any function g that depends only on a subset S ( with |Sj = d) of U = [n], 
1-Pro [/([/} = (/(S)] — 1/2| < B. Let T be a database drawn from D and let P 
(with |.T| = d) be any adversarial subset of entries of T that has been leaked. 
Then, with probability at least 1 — 5 over the choice of assignments t to r, 
\PrR[f(R\\t) = ti] — 1/2| < B/ 6 , where U is the i-th entry of the database T. 

Proof. Th e proof of this lemma is identical to the previous proof. Please see 
p3BG + llj for the complete proof. 

Following the proof structure of Theorem 0 let N = Pr[f = 0|T = f, U = 0] 
and D = Pr[f = 0|T = t, U = 1]. Now, 

(1 - Pi )N + Pi {l-D) = 1/2 +Bi, where 1^1 < B/6 
(1 — Pi)N + piD = A, where \A — 1/2| < B/6 

We now use the argument from the proof of Theorem[]]to upper (lower) bound 
N/D. Since the bound holds with probability 1 — 26, we get max, e [ ri ] p t < \ -2; 
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hence / is (max ie [ n ]_ r |max |ln ^ ,ln ^ 1 , 2<5)-Noiseless 

Private which again makes sense as long as j- < min, e [ rl ] p, and max, G [ n ] p,; < 

1-f 


3.3 Handling Multiple Queries in Adversarial Refreshment Model 

Unlike the static model, in this model we assume that every query is run on 
a database where some significant part of it is new. We focus on the following 
adversarial replacement model. 

Definition 7 (d- Adversarial Refreshment Model). Except for d adversar- 
ially chosen bits of the database T, the remaining bits are refreshed under the 
data generating distribution D before every query fi. 

We demonstrate the composability of boolean to boolean queries ( i.e., f : 
{0, 1}" — *■ {0, 1}) under this model. 

By the reduction shown in Theorem El privacy under multiple queries follows 
from the privacy in single query under auxiliary information. We use Theorems 
El and H to obtain the following composition theorem for boolean functions. 

Corollary 1. Let f be far away from d+1 junta ( with d = 0(n) ), that is for any 
function g that depends only on a subset S of U = [n] of size d+1, \Pr\f(U) = 
S , (*S')] — 1/2| < B. Let the database T be changed as per the d-Adversarial Refresh- 
ment Model and let T be the database formed by concatenating the new entries ( in 
the d-Adversarial Refreshment Model) with the existing entries. Let the number 
of times that f has been queried is m. Under the conditions of Theorem ^ f is 

(romax ie [ n ] ^max |ln ^ — , In ^ i ~5l j 2 mS)-Noiseless Private, 

where n is the size of the database T and Pi is the probability of the i-th bit ofT 
being one. 

Please refer to the full version of the paper |BBG + llj for results on the privacy 
of symmetric functions. 

4 Real Queries 

In this section, we study the privacy of functions which operate on databases 
with real entries and compute a real value as output. We view the database 
T as a collection of n random variables {ti,t 2 , ■ ■ ■ ,t n ) with the i th random 
variable representing the i th database item. First we analyze the privacy of a 
query that outputs the sum of functions of database rows, that is, /„(T) = 
7LY^ie[n\9i{ti)-> s n = Sie[n] (fi)] in Section El We provide a set of as- 
sumptions about gt, under which the response of a single such query can be 
provided with ^)-Noiseless Privacy guarantees in Theorem 0 While The- 
orem 0 is for an adversary that has no auxiliary information about the database, 
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Theorem El is for an adversary that may have auxiliary information about some 
constant fraction of the database. We note that this query function is important 
as many learning algorithms, including principal component analysis, fc-rneans 
clustering and any algorithm in the statistical query framework can be captured 
by this type of query (see |BDMM)5| L Next, in sectional we study the case of 
simple linear queries of the form /„(T) = X^e[n,] a itii a i G K when ti are drawn 
i.i.d. from a normal distribution. We show that we can allow upto \fn query- 
responses (on a static database) while still providing (e, <5)-Noiseless Privacy for 
any arbitrary e and for <5 negligible in n. Again, we give a theorem each for an 
adversary with no auxiliary information as well as for an adversary who may 
have auxiliary information about some constant fraction of the database. We 
present several results about the privacy of these two queries under the various 
changing databases models in section 14. 31 

4.1 Sums of Functions of Database Rows 

Let T = (ti, - ■ ■ ,t n ) be a database where each tj 6 1 is independently chosen 
and let gt : R — *• R,Vi G [n] be a set of one-to-one real valued functions with 
the following properties: (i) Vi G [n], E[fifj(tj)] = 0, (ii) Vi G [n],E[grf (£<)] = 0(1), 
(iii) Vi G [n],E[|fifj(tj)| 3 ] = 0(1), and (iv) The density function for </i(ti),Vi G [n] 
exists and has a bounded derivative. We study the privacy of the following func- 
tion on the database T: Y n = A. g j{tj) where ® [fl? (*»)]• Using 

Hertz Theorem |Herfi?)j (see |BBG + 1 lj l we can derive the following uniform 
convergence result for the cdf of Y n to the cdf of the standard normal. 

Corollary 2 (Uniform Convergence of F n to <P). Let F n be the cdf of 

Y n = j~^2i=x 9ilh} where = S"=i®[ flf(U)] and let denote the standard 
normal cdf. IfE[gi(ti)\ = 0 and i/E[<jf (t*)], ®[li?ife)l 3 l ~ 0(1) Vi G [n], then Y n 
converges in distribution uniformly to the standard normal random variable as 
follows: | F n (x) — ${x)\ ~ O 

If the pdf f n of Y n exists and has a bounded derivative, we can further derive 
the convergence rate of the pdf f n to the pdf (f> of the standard normal random 
variable. This result about pdf convergence is required because we will need to 
calculate the conditional probabilities in our privacy definitions over all measur- 
able sets O in the range of the query output (see Def initions El & EJ) • The result 
is presented in the following Lemma (Please refer to |BBG + ll| for the proof). 

Lemma 3 (Uniform Convergence of f n to (p). Let f n (-) be the pdf ofY n = 
T~ J2i = i 9i(ti) where Li ®[ff|(U)] an d fei (/>(■) denote the standard normal 

pdf. IfK[gi(ti)] = 0, E[g?(ii)|, E[|^ (t*) | 3 ] ~ 0(1) Vi G [n], and ifVi, the densities 
of 9i(ti) exist and have bounded derivative then f n converges uniformly to the 
standard normal pdf as follows: \ f n {x) — (f{x)\ ~ O 

Theorem 5 (Privacy). Let T = (ti, ■ ■ ■ ,t n ) be a database where each L G V is 
independently chosen. Let gi : R — > R, Vi G [n] be a set of one-to-one real valued 


228 R. Bhaskar et al. 


functions and letY n = A- Y^i=i 9i{U), where s ^ = • jT_iE[gf (*»)] am % e W> 
E[gj(tj)] = 0, E[gf (tj)], E[|g' i (i i ) | 3 ] ~ 0(1) andVi G [n] the density functions for 
gi(U) exist and have bounded derivative. Let the auxiliary information Aux be 
empty. Then, Y n is (o , O -Noiseless Private. 

Sketch of the proof: Please see fBBG + ll| for the full proof. To analyze the 
privacy of the £ th entry in the database T, we consider the ratio R = pdf (Y n = 
a\t(. = a)/pdf(F„ = a\te = /3). Setting Z = j- J27=i,i^£ 9iWh where s 2 = 
(**)]> we can rewrite this ratio as R = pdf(Z = aSn ~ 9e( ~ a ^ )/pdi (Z = 
a s n -qtAP) Applying Lemma El to the convergence of the pdf of Z to 4>, we can 
upper-bound R using a ratio of appropriate standard normal pdf evaluations. 
For suitable choice of parameters, this leads to Ini? ~ 0(1^2). Using Corollary 
El we can show that the probability of data corresponding to the unsuitable 
parameters is 0(-j=). 

Theorem 6 (Privacy with auxiliary information). Let T = (t\, ■ ■■ ,t n ) be 
a database where each U gl is independently chosen. Let gi : R — > R,V? G [n\ 
be a set of one-to-one real valued functions and letY n = j- 9i{fi), where 
s n = -X)"=i E [Si(k)] andVi G [n], E [&(?»)] = 0, E [g 2 (ti)\, E[|s>;(U)| 3 ] ~ 0(1) 
and V? G [n] the density functions for gi(ti) exist and have bounded derivative. 
Let the auxiliary information Aux be any subset of T of size pn. Then, Y n is 

i 0 ( ^nCl-p? ) ’ 0 {7^)))- N0iSdeSS Primte - 

Sketch of the proof: Please see |BBC+11| for the full proof. To analyze the 
privacy of the £ th entry in the database T, we consider the ratio R = pdf (Y n = 
a\ti = a,Aux)/pdi(Y n = a\U = f3,Aux). Setting Z = -A Ylie[n]\i(Aux),ijte 9i(U), 
where s 2 z = Xae[n]\/(.A«E),i 7 a®l#?(^)l> we can re write this ratio as R = pdf(Z = 
zo-gi(«) )/pdf ^z = z °~ 9 ‘^) ), where I (Aux) is the index set of Aux and zo = 
as n — J2jei(Aux) 9j(tj)- Thereafter, the proof is similar to the proof of Theorem 
0 except that Z is now a sum of n(l — p) random variables instead of n — 1. 

The above theorem and Theorem [I] together imply privacy of Y n =j~Y^=i 
gi(ti) under any auxiliary information about a constant fraction of the database. 

4.2 Privacy Analysis of /^(T) = a ijtj 

We consider a sequence of linear queries f„(T), i = 1,2, . . . with constant and 
bounded coefficients for a static database T. For each m = 1, 2, . . ., we ask if the 
set {fn(T) : i = 1 , m} of queries can have Noiseless Privacy guarantees. 

Theorem 7 (Privacy). Consider a database T = (ti, . . . ,t n ) where each tj is 
drawn i.i.d from Af( 0, 1). Let f„(T) = 5^ie[ n ] * = 1,2,..., be a sequence of 

linear queries (over T) with constant coefficients |a^| < 1 and at least two 
non- zero coefficients in each query. Assume the adversary does not have access 
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to any auxiliary information. For every m, 1 < m < ffri, the set of queries 
{fn(T), • ■ • , f™(T)} is (e, negl(n))-Noiseless Private for any constant e, provided 
the following conditions hold: For all i £ [m] ,£ £ [n], R(£, i ) < 0.99 EjLij^ a %> 
where R(£,i) = | E"=ij^ 

Sketch of the proof: Please refer to jBBG + 1 f| for the complete proof. One can 
represent the sequence of queries and their corresponding answers via a system 
of linear equations Y = AT, where Y is the output vector and A (called the 
the design matrix ) isamxn matrix. Each row A 1 of the matrix A represents 
the coefficients of the i- th query. Note that we cannot hope to allow more than 
n linearly independent linear queries. Because in that case the adversary can 
extract the entire database T from the query responses. 

We will prove the privacy of the I th data item, ti for some £ £ [n]. Let 
Yi = E"=i where tj are sampled i.i.d. from Af(0, 1). For any a,(i £ R 
and any v = (yi , ■ ■ ■ , y m ) £ R m the following ratio r needs to be bounded 
by e e to guarantee Noiseless Privacy: r = pdf(yi=j/i’--- • If we define 

z i = Ej=i ,j& a ijlj for i£[m\,r= \zZ= V yZ-aZlf) ' 

Let A denote the m x (n — 1) matrix obtained by dropping £ th column of 
A. We have Z{ ~ jV(0, Ej=i,j^ a ij) an< l the vector Z = (Zi, ■ ■ ■ , Z m ) fol- 
lows the distribution Af(0,E), where E = AA T . The entries of E look like 
En- = Ej=i,j^ a ij a ki an<; l dim(E) = mxm. The sum of absolute values of non- 
diagonal entries in the i th row of E is given by R(£, i) and the i th diagonal en try is 
EjLiy^ a ij (denoted Eu). By Gershgorin Circle Theorem (see |BBG + ll| h the 
eigenvalues of E are lower-bounded by Eu — R(£. i) for some i £ [m]. The condi- 
tion R(£, i ) < 0.99Tjj implies that every eigenvalue is at least 0.01 x E”=i a %- 
Since at least two o< 3 -’s per query are strictly non-zero, E will have strictly 
positive eigenvalues, and since E is also real and symmetric, we know E is 
invertible. Hence, for a given vector z £ M m , we can write pdf (Z = z) = 
(2 7 r)rn./2| 1 ;|i / 2 ex p(—\z T E~ l z). Then, for z a = y — a At and zp = y — (3Ag where 
A t denotes the £ th column of A, r = exp (—5 (z a T E~ x z a — zp T E~ l zp)) Let 
E~ x = QAQ T be the eigen decomposition and let z' a = Q T z a and z'p = Q T zp 

under the eigen basis. Then, r = exp | Ei=i Y. (i z a,i) 2 ~ where 

zG is the i-th entry of z' a , z'p i is the i-tli entry of z'p and Aj is the i-th eigen 
value of A7 -1 . Further it can be shown that, 


r < exp 


( TnX max \a — 0\ 

{ 5 


X >»- <»«(«+ «) 2 



where A max = arg max, Aj and we have used the fact that L\ norm < yfrri L? 
norm and that L 2 norms of z' a and z'p are equal to L 2 norms of z a and zp 
respectively. Thus, this ratio will be less than e e if: 


VZ"Li( 2 yi-*ida + f3)) 2 < 




( 7 ) 
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For i e [m] let Gi denote the event [|2 j/j — au(a + 0)\ < 


2e 


m3/ = |(a-/3)|A max ||A < ||J- 


The conjunction of events represented by G = A,Gi implies the inequality in (Q). 
Then, in the last step of the proof, we show (see |PiP)Cl+1 1| i that the probability 
of the event G c (compliment of G) is negligible in n for any e and m < nx . 
The above theorem is also true if the expected value of th e database entries is a 
non-zero constant. This is our next claim (see mnm for the proof). 

Claim 1. IfY = Yji=i a iU ' IS (e, 5) -Noiseless Private for a database 
T = (<i, • • • ,t n ) such that Vi, E[t$] = 0, then Y* = Y%=t where t* = U + pi, 
is also ( e,6)-Noiseless Private. 

The results of Theorem Q can be extended to the case when adversary has 
access to some auxiliary information, Aux, provided that Aux only contains in- 
formation about a constant fraction of entries, albeit with a stricter requirement 
on the coefficients of the queries (0 < ay < 1 instead of |ay| < 1). 

Theorem 8 (Privacy with auxiliary information). Consider a database T 
= {ti, . . ., t n ) where each tj is drawn i.i.d from Af( 0, 1). Let fn(T) = E»e[ n ] ? 
i = 1,2,..., be a sequence of linear queries (over T) with constant coeficients 
atj, 0 < ay < 1 and at least two non- zero coefficients in each query. Let Aux 
denote the auxiliary information that the adversary can access. If Aux only 
contains information about a constant fraction, p, of data entries in T, then, for 
every m, 1 < m < ffn, the set of queries {/^(T), . . . , /™(T)} is (e,negl(n))- 
Noiseless Private for any constant e, provided the following conditions hold: For 
all i e [m] , I £ [n] and (n — pn ) <r<n 



where S r is the collection of all possible (r — 1 )-size subsets of [n] \ {(,}. The test 
in m can be performed efficiently in 0(n log n) time. 

Sketch of the proof: We first give a proof for the case when the auxiliary 
information Aux is full disclosure of any r entries of the database. Thereafter, 
we use Theorem^to get privacy for the case when Aux is any partial information 
about at most r entries of the database. Fix a set I of indices (out of [n]) that 
correspond to the elements in Aux (This set is known to the adversary, but not 
to the mechanism). Let |7j = r. The response Y) to the i th query can be written 
as Yi = Y + 'f2j e '/ a ijtj, where Y) = Xy e [n]\? a *i*Y Since the second term in the 
above summation is known to the adversary, the ratio R that we need to bound 
for Noiseless Privacy is given by 


_ pdf(Yi = y 1 ,..., Y m = y m | te = a, Aux) 
pdf(Yi = yi ,...,Y m = y m \U = f3, Aux) 

_ pdf (% = Vi - E^iCRjtj, i=l,...m\t t = a) 
Pdf & = Vi - E je ? i = 1, ■ ■ ■ , m | t t = /?) 


(9) 


(10) 
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Applying Theorem [T] to Yi s we get (e. negl (n) )-Noiseless Privacy for any rn < 
tyn, if Vi £ [m] , l £ [n]: 


J2 0.99 a?.- H a io a kj >0 


( 11 ) 


Theorem Q uses the stronger condition of 0 < ay < 1 (compared to |ay| < 1 in 
Theorem Q). Hence, we can remove the mod signs and change order of summation 
to get the following equivalent test: For all i £ [rn] , £ £ [n], 


J2 0.99a? - ^ ayajy > 0 (12) 

Mn]\I,j^i \ k=l,k& J 

Since / is not known to the mechanism, we need to perform this check for all I 
and ensure that even the I that minimizes the LHS above must be non-negative. 
This gives us the test of ©■ We can first compute all entries inside the round 
braces of (H2D, and then sort and picking the first (n — r) entries. This takes 
0(n log n) time. This completes the proof. 

Finally, we point out that although Theorem 0 requires 0 < ay < 1, we can 
obtain a very similar result for the |ay| < 1 case as well. This is because dTO 
is true even for |ay| < 1. However, unlike for 0 < ay < 1 (when dT2ll could be 
derived), testing (ITTll for all / becomes combinatorial and inefficient. 


4.3 Privacy under Multiple Queries on Changing Databases 

Theorems 0 00 provide (e, <J)-privacy guarantees under leakage of constant 
fraction of data as auxiliary information. From Theorem 03 this implies com- 
position results under dynamically changing databases (e.g., if each query is 
(e, 5)-Noiseless Private, composition of m such queries will be (me, md)-Noiseless 
Private). As discussed in Sec. |21 we get composition under growing, streaming 
and random replacement models. In ad dition, both the queries considered in this 
section are extendibile (see full version |BBG + 1 1] for details) and thus, one can 
answer multiple repeat queries on a dynamic database (under growing data and 
streaming models) without degradation in privacy guarantee. 
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Abstract. We present new techniques for deriving preimage resistance 
bounds for block cipher based double-block-length, double-call hash func- 
tions. We give improved bounds on the preimage security of the three 
“classical” double-block-length, double-call, block cipher-based compres- 
sion functions, these being Abreast-DM, Tandem-DM and Hirose’s 
scheme. For Hirose’s scheme, we show that an adversary must make at 
least 2 2n-5 block cipher queries to achieve chance 0.5 of inverting a ran- 
domly chosen point in the range. For Abreast-DM and Tandem-DM we 
show that at least 2 2 "'~ 10 queries are necessary. These bounds improve 
upon the previous best bounds of i?( 2”) queries, and are optimal up to 
a constant factor since the compression functions in question have range 
of size 2 2 ". 

Keywords: Hash Function, Preimage Resistance, Block Cipher, Beyond 
Birthday Bound, Foundations. 


1 Introduction 

Almost as soon as the idea of turning a block cipher into a hash function ap- 
peared 0, it became evident that, for typical block ciphers and security expec- 
tations, the hash function needs to output a digest that is considerably larger 
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Fig. 1 . Preimage bounds for the classical constructions 


than the block cipher’s block size. Consequently, many proposals of double-block- 
length, or more generally multi-block-length, hash functions have appeared in 
the literature. In this article we focus on a subclass of double-block-length con- 
structions, where a 3n-bit to 2n-bit compression function makes two calls to a 
block cipher of 2n-bit key and n-bit block. 

Recently, for all three well-known members of this class — those being Tandem- 
DM pj, Abreast-DM j^| and Hirose’s construction |3j — collision resistance has 
been successfully resolved |2l4lfil7| : for Abreast-DM and Hirose’s scheme, 12(2") 
queries to the underlying block cipher are needed to obtain a non-vanishing 
advantage in finding a collision. For Tandem-DM, l2(2" _log ") queries are needed, 
which is almost optimal ignoring log factors. 

On the other hand, the corresponding situation for preimage resistance is far 
less satisfactory. Up to now, it has been an open problem to prove preimage 
resistance for values of q higher than 2" for either Abreast-DM, Tandem-DM 
or Hirose. This is not to say that no dedicated preimage security proofs have 
appeared in the literature. For instance, Lee, Stam and Steinberger [Zj provide 
a preimage resistance bound for Tandem-DM that is a lot closer to 2" than a 
straightforward implication m of their collision bound would give. However, 
a “natural barrier” occurs once 2" queries are reached: namely, a block cipher 
“loses randomness” after being queried 12(2") times on the same key (for exam- 
ple, when 2" — 1 queries have been made to a block cipher under a given key, the 
answer to the last query under that key is deterministic). Going beyond the 2" 
barrier seemed to require either a very technical probabilistic analysis, or some 
brand new idea. In this paper, we show a new idea which delivers tight bounds 
in a quite pain-free and non-technical fashion. 

Our contribution. In this paper, we prove that various compression functions 
that turn a block cipher of 2n-bit key into a double-block-length hash function, 
have preimage resistance close to the optimal 2 2 " in the ideal cipher model. Our 
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analysis covers many practically relevant proposals, such as Abreast-DM, Hirose- 
DM and Tandem-DM. Bounds for the case n = 128 are depicted in Figured At 
the heart of our result are so-called “super queries” , a new technique to restrict 
the advantage of an adaptive preimage-finding adversary. 

To build some intuition for our result, let us first consider the much easier 
problem of constructing a 3n-bit to 2n-bit compression function H based on two 
3n-bit to n-bit smaller underlying primitives / and f. An obvious approach is 
simply to concatenate the outputs of / and /', that is let H(B) = f(B)\\f'(B) for 
B £ {0, l} 3 ". If / and f are modeled as independent, ideal random functions, 
then it is not hard to see that H behaves ideally as well. In particular, it is 
preimage resistant up to 2 1 2 " queries (to / and /'). 

When switching to a block cipher-based scenario, it is natural to replace / and 
/' in the construction above by E, resp. E', both run in Davies-Meyer mode. In 
other words, for block ciphers E and E' both with 2 n-bit keys and operating on 
n-bit blocks, define H(A\\B) = (E b {A)(BA)\\(E' b (A)(BA) where A £ {0, 1}” and 
B £ {0, l} 2 ". While there is every reason to believe this construction maintains 
preimage resistance up to 2 2 " queries, the standard proof technique against 
adaptive adversaries falls short significantly. Indeed, the usual argument goes 
that the i-th query an adversary makes to E using key K will return an answer 
uniform from a set of size at least 2 n — (i— 1) and thus the probability of hitting 
a prespecified value is at most l/(2 n — (i — 1)) < 1/(2" — q). Unfortunately, once 
q approaches 2", the denominator tends to zero (rendering the bound useless). 
As a result, one cannot hope to prove anything beyond 2" queries using this 
method. This restriction holds even for a “typical” bound of type g/( 2" — q) 2 . 

When considering non-adaptive adversaries only, the situation is far less grim. 
Such adversaries need to commit to all queries in advance, which allows bounding 
the probability of each individual query hitting a prespecified value by 2~ n . 
While obviously there are dependencies (in the answers), these can safely be 
ignored when a union bound is later used to combine the various individual 
queries. Since the q offset has disappeared from the denominator, the typical 
bound <?/( 2") 2 would give the desired security. 

Our solution, then, is to force an adaptive adversary to behave non-adaptively. 
As this might sound a bit cryptic, let us be more precise. Consider an adversary 
adaptively making queries to the block cipher, using the same key throughout. 
As soon as the number of queries to this key passes a certain threshold, we give 
the remaining queries to the block cipher using this very key for free. We will 
refer to this event as a super query. Since these free queries are all asked in 
one go, they can be dealt with non-adaptively, preempting the problems that 
occur (in standard proofs) due to adaptive queries. Nonetheless, for every super 
query we need to hand out a very large number of free queries, which can aid 
the adversary. Thus we need to limit the amount of super queries an adversary 
can make by setting the threshold that triggers a super query sufficiently high. 
In fact, we set the threshold at exactly half] the total number of queries that 


1 The “optimized” threshold turns out to be very near one half, but a bit less; we set 

the threshold at a half for simplicity in our proofs. 
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can be made under a given key (i.e., it is set at 2 n /2 queries). This effectively 
doubles the adversary’s query budget, since for every query the adversary makes 
it can get another one later “for free” (if it keeps on making queries under the 
same key), but such a doubling of the number of queries does not lead to an 
unacceptable deterioration of the security bound. 

With this new technique in hand, we can prove in Sectional that the construc- 
tion H given above has indeed an asymptotically optimal preimage resistance 
bound. Afterwards, we revisit the proofs of preimage resistance of the three main 
double-block-length, double-call constructions: Hirose (Section 0, Abreast-DM 
(Section 0 and Tandem-DM (Section 0). An additional technical problem is that 
these compression functions each make two calls to the same block cipher, as 
opposed to using two calls to independent block ciphers. Ideally, to get a good 
bound, one would like to query the two calls necessary for a single compression 
function evaluation in conjunction (this would allow using the randomness of 
both calls simultaneously, potentially leading to a denominator 2 2 " as desired 
for preimage resistance). For instance, in the context of collision resistance for 
Hirose-DM and Abreast-DM corresponding queries are grouped in cycles (of 
length 2 and 6, respectively) and all queries in a cycle are made simultaneously: 
if the adversary makes one query in a cycle, the remaining queries are handed 
out for free. Care has to be taken that these free queries and the free queries 
due to super queries do not reinforce each other to untenable levels. 

For Hirose’s scheme, there are no problems as the free queries introduced by 
a super query necessarily consist of full cycles only. The corresponding (upper) 
bound on the preimage finding advantage is 16q/2 2n which is as desired, up to 
a small factor. For Abreast-DM, however, the cyclic nature can no longer be 
exploited: any super query introduces many partial cycles, yet freely completing 
these might well trigger a new super query, etc.! Luckily, the original preimage 
proof for Tandem-DM 0 (which does not involve cycles) provides a way out of 
this conundrum. The downside however is that our preimage bound for Abreast- 
DM and Tandem-DM is slightly less tight than that for Hirose’s scheme. Ignoring 
negligible terms, it grows roughly as 16^/2". Although this is faster than one 
might wish for (as can be seen in Figure 0), it does imply that f2( 2 2 ”) queries 
are required to find a preimage with constant probability. 

2 The Model 

A block cipher is a function E : (0, l} m X {0, 1}" — > {0, 1}” such that E(K , •) 
is a permutation of {0,1}” for each K G {0, l} m . We call rn the key size and n 
the block length of the block cipher. It is customary to write E K {X) instead of 
E(K, X ) for K G {0, l} m , X E {0, 1}”. The function E^- 1 (•) denotes the inverse 
of Ek(-) (as E pc(-) is a permutation). Henceforth, we will restrict to the case 
m = 2n and we define N = 2”. 

A compression function H is block cipher-based if, in its execution, it has 
access to a block cipher. In this paper, we only discuss double-block-length, 
double-call constructions, meaning that H is a function from 3«-bits to 2n-bits 
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making two calls to some underlying block cipher E. (This definition will become 
more concrete in the next sections.) 

As our preimage security notion for H , we adopt everywhere preimage re- 
sistance in the information theoretic setting m- In this preimage resistance 
experiment, a computationally unbounded adversary with oracle access to a 
uniformly sampled block cipher E : {0, l} 2 " x {0, 1}" — ► {0, 1}" selects and 
announces a point C G {0, l} 2 ", before making queries to E. We allow the ad- 
versary to query both E and E~ x . After q queries to E, the query history of the 
attacker is the set of triples Q = {(X i: K t , Fj)}| =1 such that E Ki (Xi) = Yi and 
the attacker’s i-th query is either Ek^X j) or Ef} (Y,J for 1 < i < q. We say the 
attacker succeeds or finds a preimage if its query history Q contains the means 
of computing a preimage of C, in the sense that there exist values B G {0, l} 3 ", 
K u K 2 G {0,1} 2 " and X 1 ,X 2 ,Y 1 ,Y 2 G {0,1}" such that both {X x ,K x ,Yx) and 
(X 2 ,K 2 ,Yf) are in the query history Q, H(B ) = C and the two queries used 
to evaluate H(B) are precisely E Kl (X i) and E K2 (X 2 ). In this case, we also say 
Q contains a preimage of C. We let Preim(Q) be the predicate that is true if 
and only if Q contains a preimage of C, where C is an elided-but-understood 
parameter of the predicate. We define 

Adv^? re (g) = maxPr[Preim(<2)] 

where the maximum is taken over all adversaries making at most q queries, and 
where the probability is taken over the randomness of E as well as over the 
adversary’s coins, if any. 

For Tandem-DM, it turns out that the everywhere preimage resistance notion 
is slightly too strong, as there is one weak point (namely 0 2 ") in the range, for 
which finding preimages is a bit easier. A simple adaptation of the everywhere 
preimage resistance definition is to disallow the adversary to choose C = 0 2 " as 
the target point jZj ; we denote the corresponding advantage as 

Adv^r^o?) • 

(We will still use the same predicate Preim(Q) though.) 

A standard assumption made in ideal cipher proofs is that “the adversary 
never makes a query to which it already knows the answer”. By this it is meant, 
for example, that one can assume the adversary never makes a query Ek(X), 
obtaining an anwer Y, and then makes the query Ek 1 (Y) (which will necessarily 
be answered by X). In the current context, where we consider adversaries making 
2" queries or more, this assumption should be more precisely restated as “the 
adversary never makes a query that will result in a triple (X, K, Y) which is 
already present in the query history”. (This latter assumption can be made 
without loss of generality using the fact that E K (•) is a permutation.) Indeed, if 
an adversary has made 2" — 1 queries under a key K, the result of the last query 
under that key is predetermined, and thus the adversary “already knows” the 
answer to this query. However, one should not forbid the adversary from making 
this query, since the query may be necessary to complete a preimage. 
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Our security proofs also use the notion of “free” queries. Formally, these can 
be modelled as queries which the adversary is “forced” to query (under certain 
conditions), but for which the adversary is not charged: they do not count to- 
wards the maximum of q queries which the adversary is allowed. However, these 
queries become part of the adversary’s query history, just like other queries. 
In particular, the adversary is not allowed, later, to remake these queries “on 
its own” (due to the previously discussed assumption that the adversary never 
makes a query which it already owns). Observe that “free” queries are a common 
tool for analyzing the security of hash functions, e.g., see j2EE| ■ 

3 An Example Case 

Before we apply the new technique of super queries to the analysis of three 
well-known constructions that compress 3n bits to 2n bits and that each call 
the same block cipher twice, we demonstrate our technique on the following 
simplest possible example. We consider the construction Hi, compressing 3n - 1 
bits to 2n bits that makes two block cipher calls. Given a block cipher E of key 
length m = 2n and block length n, an input block X e {0,1}" and a key prefix 
K G {0, l} 2 " -1 we define 

H i(K,X) = (E k ||o(X) © X, E m (X) © X) 

where || denotes concatenation. If we consider the ideal cipher model, the two 
block cipher calls are independent. Hi can be seen as a simple special case 
of a scenario where two different block ciphers are called and which is closely 
connected with the more general framework introduced by Ozen and Stam n 
(with slightly different notation though). 

Theorem 1. Let Hi : {0, l} 3 ” -1 — > {0, l} 2 " be the block cipher-based, compres- 
sion function defined as above. Then 

Adv H P r («) ^ sq/n 2 - 

In particular, to achieve an advantage of 1 /2 the adversary has to make at least 
2 2 " -4 queries. 

Proof. Let U\\V G {0, l} 2 " be the point to invert (chosen by the adversary before 
it makes any queries to E). We upper bound the probability that, in q queries, 
the adversary finds a point A G {0, 1}" and a key prefix K G {0, l} 2 " -1 such 
that Hi(X|| 2 l) = U\\V. On top of the q queries the adversary wants to make, 
we give it several queries for free, to ensure that the elements (X, A'||0, Y) and 
(X, X||l, Y') are always added to the query history as a pair. We call such a pair 
an “adjacent query pair” with respect to the key prefix K G {0, l} 2 " -1 . The 
involved free queries are as follows. 

Normal forward query. If the adversary queries E K \\ 0 (X) (resp. E K ||i(X)) 
for some key prefix K G {0, l} 2 " -1 and X G {0, 1}", we also give it for free 
e k\\i{ x ) (resp. £^jc|| 0 (X)). 
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Normal inverse query. If the adversary queries E K ^ Q (Y) (resp. E K \\\(Y')) for 
some key prefix K € {0,1} 2 " -1 and receives answer X, we also give it for 
free E Kjjl (X) (resp. A^oPO). 

We now give further free queries to the adversary, in the fashion described next. 
After each adjacent query pair has been completed (namely, after the adversary 
has received the response to both its query and its associated free query, and 
after these have been placed in the query history), we check whether the key 
prefix used for the latest query is such that the (current) query history contains 
exactly N/2 adjacent query pairs with this key prefix. If so, we give all remaining 
adjacent query pairs under this key prefix for free to the adversary. There will 
be exactly N/2 such query pairs. We insert these N/2 free query pairs into 
the query history pair-by-pair (to maintain, mostly for conceptual simplicity, 
the adjacent pair structure of the query history). We note that, after these free 
queries have been inserted into the query history, the adversary cannot make 
any more queries under this key prefix, since the adversary is assumed never 
to make a query to which it knows the answer. When N/2 free query pairs are 
given to the adversary in the fashion just described, we say that a super query 
occurs. This can be summed up as follows: 

Super query. When the query history contains N/2 adjacent query pairs all 
using the same key prefix K £ {0, l} 2 ” -1 , all the remaining queries of the 
form E k ||o(-) and E K 1 1 1 (-) are given for free. 

We say that an adjacent query pair (X, K\\Q,Y), (X. K\\l. Y') is “winning”, or 
“successful” , if X ® Y = U and X ® Y' = V. Thus the adversary obtains a 
preimage of f7||V precisely if it obtains a winning adjacent query pair. This can 
occur in one of two ways: either the winning query pair is part of a super query, 
or not. We let SuperQueryWin(Q) denote the event that the adversary obtains 
a winning query pair that is part of a super query, and Norma IQueryWin(Q) the 
event that the adversary obtains a winning query pair of normal queries. It thus 
suffices to upper bound 

Pr[SuperQueryWin(<2)] + Pr[NormalQueryWin(Q)]. 

Here probabilities are taken (as usual) over the adversary’s randomness (if any) 
and over the randomness of the ideal cipher. 

We first upper bound Pr[NormalQueryWin(Q)]. Note that when the adversary 
makes, say, a forward query £^-||oPO> at most N/2 — 1 queries have been previ- 
ously answered to the key K ||0 and at most N/2— 1 queries have been previously 
answered to the key AT||1, since otherwise a super query for the key prefix K 
would have occurred. Thus the values Y = E K ^ 0 (X) and Y' = E K jd(X) come 
uniformly and independently at random from a set of size at least iV/2+1 > N/2, 
and there is chance at most (1/ (N/2))' 1 = A/N 2 that we obtain a winning pair 
of adjacent queries. The same is true if the adversary makes a forward query 
Ek\\i(X), or an inverse query E~^ 0 {Y), or an inverse query EJq^Y'). Since the 
adversary makes q queries in total, we therefore have 

Pr[NormalQueryWin(Q)] < 4 q/N 2 . 


(1) 
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We now bound Pr[SuperQueryWin(Q)]. Say a super query is about to occur on 
key prefix K £ {0, l} 2 " -1 , meaning that the value of E pc||o( - ) and E K ||i(-) is 
already known on exactly N/2 points. Let us denote this set of points by X , and 
let y = E Km (X ) and y' = E m (X). Further let A = {0, 1}"\A, B = {0, l} n \^, 
and B' = {0, l} n \ y'. Note that \X\ = \y\ = \y\ = \A\ = \B\ = \B'\ = N/2. 

Now let a point A £ Ain the domain of the super query be arbitrarily fixed, 
and let us estimate the probability that point A induces a winning pair under 
E. If A ® U £ y or if A ® V Gy', this probability is zero. Consequently, let us 
suppose that A®U £ B and A®V £ B'. 

The probability (taken w.r.t. E) that E K p(A) = Ac&U and E K ^(A) = A(BV 

equals = (ivyi) • Thus, by union bormding over A, we find that 

the probability of the super query producing a winning pair of adjacent queries 
is at most N/2 ■ = jfpq- We now observe that at most qf {N/2) super 

queries can ever occur, since each super query requires a “setup” cost of N/2 
queries. Thus 


Pr[SuperQueryWin(Q)] < Aq/N 2 . (2) 

Summing m and 0 completes the proof. □ 

4 Preimage Security Results for Hirose’s Scheme 

Hirose gj introduced his 3n-bit to 2«-bit compression function making two calls 
to a block cipher of 2n-bit key over 10 years after Abreast-DM and Tandem- 
DM (see the next Sections). Hirose’s construction (Figure 0 is simpler than 
either of its predecessors and it uses a single keying schedule for the top and 
bottom block ciphers. Moreover, Hirose himself already proved birthday-type 
collision resistance for his construction in the ideal cipher model, thereby pre- 
dating similar collision resistance analyses for Abreast-DM and Tandem-DM. 
Previously, Lee and Kwon 0 have shown that Adv^ e (g) < 2 q/(N — 2 q) 2 , 
which becomes void once q > N/2. We improve upon this bound considerably. 

Theorem 2. Let Hir : (0, l } 3 " — > (0, l} 2 " be the block cipher-based, compression 
function depicted in Figure Then 

Adv mr 6 (9) < 8g/2V 2 + 8 q/N{N - 2). 

In particular, Adv^ e (g) is upper bounded by approximately 1 6q/N 2 . 

Proof. Let U\\V £ {0, l} 2n be the point to invert (chosen by the adversary before 
it makes any queries to E). We upper bound the probability that, in q queries, 
the adversary finds a point A||L||M £ {0, l} 3 ” such that Hir(A||L||M) = U\\V. 

When the adversary makes a forward query E L ^ M (A) we give it for free, also, 
the answer to the query El\\m(A ® c). Moreover when the adversary makes 
a backward query E^ M (R), resulting in an answer A = E l\\m( R )’ we S ive ^ 
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Fig. 2. Hirose’s compression function. All wires carry n-bit values. The top and bottom 
block ciphers, which are the same block cipher, have 2n-bit key and n-bit input/output. 
The wires A, L, M are the inputs to the compression function. The bottom left-hand 
wire is not an input; it carries an arbitrary nonzero constant c. 

for free the answer to the forward query E L ^ M (A 0 c). Also, we assume that 
the adversary never makes a query to which it knows the answer (in the sense 
discussed in Section 0) . Thus the elements of the adversary’s query history Q 
can be paired into adjacent pairs of the form (A, L\\M, R), (A ® c, L\\M, S). We 
call such a pair an “adjacent query pair”. Furthermore, we define super queries 
analogously to the definition used in the proof of Theorem 0 More precisely, as 
soon as the (current) query history contains exactly N/2 queries with the same 
key, all remaining queries under this key are given for free to the adversary. (A 
minor difference with Theorem 1 is that it only takes N/4 queries to trigger a 
super query under a given key, instead of N/2.) 

We say that an adjacent query pair ( A , L\\M,R), (ACBc, L\\M, ,S') is “winning”, 
or “successful” , if A®R = U and A®c®S - V, or if A([)R = V and A(Bc(&S = U. 
Thus the adversary obtains a preimage of U\\V precisely if it obtains a winning 
adjacent query pair. This can occur in one of two ways: either the winning query 
pair is part of a super query, or not. We let SuperQueryWin(Q) denote the event 
that the adversary obtains a winning query pair that is part of a super query, 
and Norma IQ ueryWin(Q) the event that the adversary obtains a winning query 
pair of normal queries. It thus suffices to upper bound 

Pr[SuperQueryWin(Q)] + Pr[NormalQueryWin(Q)j. 

Here probabilities are taken (as usual) over the adversary’s randomness (if any) 
and over the randomness of the ideal cipher. 

We first upper bound Pr[NormalQueryWin(Q)]. Note that when the adversary 
makes, say, a forward query E L \\ M (A), at most N/2 — 2 queries (counting free 
queries) have been previously answered with the key T||M, since otherwise a 
super query for the key L\\M would have occured. Thus the value R = E L \\ M (A) 
comes uniformly at random from a set of size at least N/2 + 2 > N/2, and there 
is chance at most 2 /(N/2) = 4 /N that either A® R = U or A® R = V (this 
is also true if U = V). If, say, A 0 R = U, there is further chance at most 
l/(N/2) = 2/N that the free query E L \\ M {A © c) returns A 0 e© V, since the 
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answer to the free query comes uniformly at random from a set of size at least 
N/2+1 < N/2. Other cases (e.g. when A®R = V, and when the adversary makes 
a backward query EJ^ M (R)) are similarly analyzed, showing that the adversary’s 
chance of triggering the event NormalQueryWin(Q) at any given query is at most 
(4/N)(2/N) = 8/N 2 . Since the adversary makes q queries total, we have 

Pr[NormalQueryWin(Q)] < 8q/N 2 . (3) 

We now bound Pr[SuperQueryWin(<2)]. Say a super query is about to occur on 
key L\\M, meaning that the value of E L \\ M {-) is already known on exactly N/2 
points paired into N/ 4 query pairs. Let A, A ® c be in the domain of the super 
query. (We say that a point B £ {0, 1}" is “in the domain of the super query” if 
E l \\ m (B) is not yet known, and will be queried as part of the super query; note 
that a point A £ {0, 1}" is in the domain of the super query if and only if A ® c 
is in the domain of the super query.) Then the probability that E L \\ M (A) = U 
is either 0 if U is not in the range of the super query (meaning there is a normal 
query E L \\ M (B) = U already present in the query history when the super query 
is made) , or else is exactly 2 /N, since the value of E L ^ M (A) returned by the super 
query is uniform at random in a set of size N/2. Thus, by a similar argument 
on V, the probability that E L \\ M (A) £ {17, V} is at most 4 /N. Conditioning on 
the event E L \\ M {A) 6 {17, V}, the probability that E L \\ M (A ® c) £ {17, V} is at 
most 1 /{N/2 - 1), since E L \\ M (A ® c) is sampled uniformly at random from a 
set of size N/2 — 1, once the value E L ^ M (A) is known. Thus the probability that 
the super query returns values such that the adjacent query pair (A,L\\M, ■), 
{A ® c,L\\M, •) is winning is at most 4/N(N/2 — 1). But A, A © c were two 
arbitrary paired domain points; taking a union bound over the N / 4 such pairs 
in the domain of the super query, we find that the probability of the super query 
producing a winning pair of adjacent queries is at most 

(JV/4) • (4/N(N/2 - 1)) = l/(JV/2 - 1). 

We now observe that at most q/(N/ 4) super queries can ever occur, since each 
super query requires a “setup” cost of 77/4 queries. Thus 

Pr[SuperQueryWin(Q)] < 4q/N(N/2 - 1). (4) 

Summing Q and 0) completes the proof. □ 

5 Preimage Security Results for Abreast-DM 

Abreast-DM, pictured in Figure 0 is one of the classical schemes for turning 
a 2n-bit key block cipher into a 3n-bit to 2n-bit compression function. It was 
proposed by Lai and Massey in the same paper as Tandem-DM jjj] . The collision 
resistance of Abreast-DM was independently resolved by Fleischmann, Gorski 
and Lucks |2j and Lee and Kwon 0 , who both showed birthday- type collision 
resistance for Abreast-DM. Previously, Hirose 0 had given a collision resistance 


The Preimage Security of Double-Block-Length Compression Functions 


243 



Fig. 3. The Abreast-DM compression function. The wires A,B,L are the inputs to 
the compression function. The empty circle at the left side of the bottom block cipher 
denotes bit complementation. 


analysis for a general class of compression functions that included Abreast-DM 
as a special case, but under the assumption that the top and bottom block 
ciphers of the diagram be distinct. This assumption considerably simplifies the 
analysis (see also the later generalization by Ozen and Stam jBJ ) . 

Previously, Lee and Kwon jOj have shown that Adv^®(g) < 6q/ (2 n — 6 q) 2 . 
Although our bound for Abreast-DM (Theorem 0) is not as tight as our bound 
for Hirose’s scheme (Theorem EJb it is clear from Corollary [T| below that our 
result significantly improves this bound. 

Theorem 3. Let Abr : {0, l} 3 " — > {0, l} 2 " be the block cipher-based, compres- 
sion function depicted in Figure 0 Let a> 0 be an integer. Then 


A ^ epre/ ^ 16« 8 q 

Adv Abr (?) < -JT- + 


2 .(^L) 

N N 2 (N- 2) \aN ) 


Aq_ 

aN‘ 


Proof. Let U\\V be the point to invert, chosen by the adversary before any 
queries are made to E. 

Unlike in the proof for Hirose’s scheme, we do not give the adversary a free 
query after each query it makes. However, we still give the adversary “super 
queries” for free. More precisely, whenever the adversary has made N/2 queries 
under a given key A'||L, and after the (N/ 2)-th such query has been answered 
and placed in the query history, we give the remaining N/2 queries under the 
key K\\L for free to the adversary, in any order. In this case, we say that a super 
query occurs; every query in the query history is either part of a super query, 
or not; in the latter case we call the query a “normal query”. (Thus, in this 
theorem, normal queries are exactly the non-free queries.) Unlike in the proof 
of Theorem 0 there is no notion of an adjacent query pair. However, like in the 
proof of Theorem El we alert the reader to the fact that a “super query” consists 
of a set of N/2 queries, whereas a “normal query” is a single query. 

We define an event Lucky(Q) on the query history; Lucky(Q) occurs if 


\{(X, K\\L, Y) £ Q : X ® Y = U}\ > 2a, 
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or if 

|{(X, K\\L, Y) e Q : X ®Y = V}\ > 2a. 

The adversary obtains a preimage of U\\V precisely if it obtains queries of the 
form (A, B\\L , R), ( B , L\\A, S ) such that A ® R = U and B ® S = V , where B 
is bitwise complementation of B. It is easy to check that these two queries must 
be distinct, otherwise one obtains the contradiction B = A = L = B. We call 
two such queries a “winning pair” of queries. Note, of course, that the queries 
in a winning pair need not be adjacent in the query history. We speak of the 
“first” and “second” query in a winning pair referring to the order in which they 
appear in the query history. 

Let WinNormal(Q) be the event that the adversary obtains a winning pair in 
which the second query is a normal query. Let WinSuper 1 (Q) be the event that 
the adversary obtains a winning pair in which the second query is part of a super 
query and the first is either normal or part of a super query, but is not part of 
the same super query as the second. Finally let WinSuper 2 (Q) be the event that 
the adversary obtains a winning pair in which both queries of the pair are part 
of the same super query. It is then clear that if the adversary wins, one of the 
events 

WinNormal(Q), WinSuper 1 (Q) or WinSuper 2 (Q) 
occurs. In particular, thus, one of the four events 

Lucky(Q), WinNormal(Q) A -Lucky(Q), WinSuper^Q) A -Lucky(Q), 
WinSuper 2 (Q) A -Lucky(Q) 

must occur if the adversary wins. We upper bound the probability of each of 
these four events and sum the upper bounds in order to obtain an upper bound 
on the adversary’s advantage. 

We start by upper bounding Pr[Lucky(Q)]. For this we introduce two new 
events. Let Q n be the restriction of Q to normal queries, and let Q s be the 
restriction of Q to queries that are part of super queries. Let Lucky n (Q) be the 
event that either 


|{(X, K\\L, Y)eQ n :X®Y = U}\>a, 


or 

\{(X, K\\L,Y) G Q n : X ®Y = V}\ > a. 


The event Lucky., (Q) is likewise defined with respect to Q s . Obviously, 
Lucky(Q) => Lucky n (Q) V Lucky s (Q), so it suffices to upper bound Lucky n (Q) 
and Lucky s (Q) and to sum these upper bounds. 

Since every answer to a normal query, forward or backward, comes at random 
from a set of size at least N/2, and since at most q normal queries are made, we 
have that 



Pr[Lucky n (Q)j < 2 • 


< 2 - 


2 eq' 
aN . 
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To upper bound Pr[Lucky s (Q)], note that when a super query is made on key 
K\\L, the expected number of points X £ {0,1}" in the domain of the super 
query such that X ® E K \\ L {X) = U is at most (N/ 2) • (2 /N) = 1, since for 
each individual such point the probability that X ® E K \\ L (X) = U is either 0 (if 
X ® U is not in the range of the super query) or 2/N. Moreover there occur at 
most q/(N/ 2) = 2q/N super queries, since it costs N/2 queries to setup a super 
query for a given key. Thus, the expectation of the random variable 

\{(X,K\\L,Y) € Q s : X ®Y = U}\, 

taken over the coin tosses of the adversary and the randomness of E, is at most 
2 q/N ■ 1 = 2q/N. It then follows by Markov’s inequality that the probability 
that 

\{(X, K\\L, Y)eQ s :X®Y = U}\>a 

is at most 2q/aN. Then by a union bound and a symmetric argument (for 
X ® Y = V) , we obtain that Pr[Lucky s (Q)] < 4 q/aN. Summing the upper 
bounds for Pr[Lucky n (Q)] and Pr[Lucky s (Q)], we thus obtain that 

Pr[Lucky(fi)]<2- (^)“ + il. (5) 

We now upper bound Pr[WinNormal(Q) A -Lucky(Q)]. For this we use a “wish 
list” argument similar to that of 0. As the adversary makes queries, we maintain 
two sequences Wt and Wb called wish lists. These are initially empty. For each 
query (X, K\\L,Y) added to the query history (whether normal or part of a 
super query) we update the wish lists as follows: 

1. If X ® Y = U then (K,L\\X, K ® V) is added to VV B . 

2. If W ® Y = V then (L, X\\K, L ® U) is added to W T - 

We emphasize that Wb and Wt are sequences, not sets. The following properties 
are easy to check: (i) a query never “adds itself” to a wish list (namely, the 
queries inserted into the wish lists — if any — as a result of query (X, K\\L,Y) 
being added to the query history, are distinct from (X, K\\L,Y) itself); (ii) the 
elements of Wt are all distinct from one another, and the elements of Wb are 
all distinct from one another — namely, the same triple is never added twice to 
a wish list; (iii) the adversary obtains a winning pair precisely if a query is ever 
added to its query history that is already a member of one of its wish lists before 
the updating of the wish lists for that query (by property (i), however, we could 
equally well say “after the updating of the wish lists for that query”). Moreover, 
as long as -Tucky(Q) holds, the wish lists never exceed length 2a. 

Let E k \\ l (X) be a query made to E during the adversary’s attack (either a 
normal query, or as part of a super query). If, at the moment when the query 
is being made, there is an element of the form (X, K\\L, Y) in (at least) one of 
the wish lists for some Y £{0,1}", then we say this wish list element is being 
“wished for” when the query Ek\\l(X) is made. We similarly say the wish list 
element (X, K\\L,Y) is being “wished for” if the query E~^ L (Y) is made (note 
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that in this case, the query E K ^ L (Y) is necessarily normal, since a super query 
is, by default, implemented by forward queries). We note, importantly, that any 
wish list element can only be wished for once, since E K || L (-) is a permutation. 

Let NormalWishGrantedT.i be the event that a normal query (X,K\\L,Y), 
when added to the query list, is equal to the i-th element of Wt (presum- 
ing Wt has length at least i when the query is added). Likewise define 
Norma I Wish Granted H,!; with respect to the list Wb- Then by the above remarks 


2 a 

WinNormal(Q) A -Lucky(Q) => NormalWishGrantedT.i V 

^=i 
2 a 

\J NormalWishGrantedB.i 


so by a union bound 

2 a 

Pr[WinNormal(<2) A -Lucky(Q)] < ^ Pr[NormalWishGrantedT,i] + 

2 a 

y Pr[NormalWishGrantedB,i] ■ 


Because each wish list element can only be wished for once and because a normal 
query is answered at random uniformly from a set of size at least N/2, we have 

Pr[NormalWishGrantedT,i] < 2 /N, Pr[NormalWishGrantedB,i] < 2/iV 

and therefore 

Pr [Win Normal (Q) A -Wucky(Q)] < 2 • (4a/N) = 8 a/N. (6) 

We now upper bound Pr[WinSuper 1 (Q) A -Lucky(<2)]. We keep the same defi- 
nition of the wish lists Wt, Wb as above. We let SuperWishGranted^ , : be the 
event that a query ( X , K\\L, Y ) that is part of a super query is equal to the i-th 
element of Wt, where Wt has length > i before any of the super queries under 
key K\\L have been made. The event SuperWishGranted} 5 , is similarly defined. 
By the definition of WinSuper 1 (Q) we have that 

2a 

Pr[WinSuper 1 (Q) A -Lucky(Q)] < y Pr[SuperWishGrantedx. j + 

2a 

y^Pr[SuperWishGrantedg J. 


Assume, for a given i, that the i-th element of Wt (say) is (X,K\\L,Y), and 
that a super query is about to be made for the key K \\L, and that X is in the 
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domain of the super query. Then the probability that E K \\ L (X) = Y is at most 
2/N (more precisely, it is exactly 2/N unless Y is not in the super query’s range, 
in which case it is 0). Thus, arguing similarly for the list Wb, we obtain that 

PrpuperWishGranted^j] < 2/N, PrfSuperWishGrantedg J < 2/N. 

Therefore 


Pr[WinSuper 1 (Q) A -Tucky(Q)] < 8 a/N. (7) 

We finally bound Pr[WinSuper 2 (Q) A -Tucky(Q)]. In fact we upper bound the 
value Pr[WinSuper 2 (Q)], and we do not use a wish list argument. Note the event 
WinSuper 2 (<2) can only occur when a super query is made on a key of the form 
L\\L, and then occurs only if both L and L are in the domain of the super query 
and if E l \\ l (L) ® L = U, E l \\ l (L) ® L = V. It is easy to see that probability 
(when the super query is made) that these latter equalities hold is at most 
(2/iV) - (1/ (iV/2 — 1))- Since at most q/(N/2) super queries are made, we therefore 
have 

Pr[WinSuper 2 (fi) A ^Lucky(Q)] < Pr[WinSuper 2 (Q)] < 4q/N 2 (N/2 - 1). (8) 
Finally, we obtain the theorem by summing ©,0,(0) and ©. □ 

Corollary 1. We have 


Adv Abr (2 2 ” -10 ) ^ 1/2 + o(l) 
where the o(l) term tends to 0 as n — > oo. 

Proof. By setting a = g 1 / 2 / 2 (note that a is allowed to depend on q), the bound 
from Theorem 0 simplifies to 

leg 1 / 2 8g /4egV^y 1/2/2 

N N 2 (N- 2 ) \ N J 

Suppose that g = (ciV) 2 for some 0 < c < 1, then this bound can be rewritten 
16c+ -^^ + 2- (4ec) cJV/2 . 

For 4ec < 1 this tends 16c, so setting c = 1/32 gives us the claimed result. □ 

6 Preimage Security Results for Tandem-DM 

The Tandem-DM compression function, proposed by Lai and Massey in 1992 © 
is a 3n-bit to 2n-bit compression function based on two applications of a block 
cipher of 2n-bit key and n-bit word length (Figure©. The first (flawed) proof 
of collision security for Tandem-DM (by Fleischmann, Gorski and Lucks ©) 
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Fig. 4. The Tandem-DM compression function. The wires A, B, L are the inputs to the 
compression function. 


did not appear until 2009. Later, Lee, Stam and Steinberger [Zj gave a correct 
collision resistance analysis of Tandem-DM showing that indeed it has birthday- 
type collision security in the ideal cipher model (necessitating at least 2 120 - 8 
queries to break when the output length is 2 n = 256 bits). They also showed 
preimage resistance up to essentially 2 128 queries (for n = 128), once G"||0” is 
excluded as challenge digest. Our new bound is identical to the bound we gave 
for Abreast-DM, so in particular 2 2 " -10 queries are needed to obtain a preimage 
with probability ~0.5 (Corollary 0) . 

Theorem 4. Let Tan : {0, l} 3 " — » {0, l} 2 " be the block cipher-based, compres- 
sion function depicted in Figure |^| Let a > 0 be an integer. Then 


(2eq\ a 4 q 
\aN ) aN ' 


i C „. 8q ^ 

1 V N 2 (N — 2) + 



Proof. Let U\\V ^ 0”||0 n be the point to invert, chosen by the adversary before 
making any queries to E. 

We manage free queries exactly as for Abreast-DM; more precisely, when N /2 
queries are made to E under a given key, we give the remaining N/2 queries 
under that key for free to the adversary, and this constitutes a “super query”. 
No other free queries are given. 

In the case of Tandem-DM, the adversary obtains a preimage of U\\V precisely 
if it obtains queries of the form (A, B\\L , R), (B. L\\R , S) such that A® R = U, 
B®S = V. It is easy to see these two queries must be distinct, otherwise 
we would have A=B = L = R = S and therefore U\\V = 0"||0 n . We call two 
queries as above a “winning pair” of queries, where the two elements of a winning 
pair need not be adjacent in the query history (and could be in any order). We 
speak again of the “first” and “second” query in a winning pair referring to the 
order in which they appear in the query history. 

We define the events Lucky(Q), WinNormal(Q), WinSuper 1 (Q) and 
WinSuper 2 (<2) as in the proof of Theorem 0 (but with respect, of course, to 
the new definition of “winning pair”). If the adversary wins, one of the events 
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Lucky(Q), WinNormal(Q) A -Lucky(Q), WinSuper 1 (Q) A -Tucky(Q), 
WinSuper 2 (Q) A -Lucky(Q) 

must occur. We upper bound the probability of each of these events separately. 
As in the case of Theorem 0 we have 

r,[Luck,(e)]<2.(^i)" + il. (9) 

To upper bound Pr[WinNormal(Q) A ->Lucky(Q)], we again use wish lists. There 
are two wish lists, Wt and Wn, which are initially empty and which are updated 
after each new query (X, K\\L,Y) placed into the query history, according to 
the following rules: 

1. If X © Y = U then (K, L\\Y, K®V) is added to W B - 

2. If X®Y=V then (L © U,X\\K, L) is added to W T - 

The same four properties from Theorem E3 are easy to check: (i) a query never 
“adds itself” to a wish list (this uses U\\V ^ 0 n ||0 n ); (ii) the elements within 
each wish list are all distinct from one another; (iii) the adversary obtains a 
winning pair precisely if it obtains a query that is already in one of its wish 
lists (at the moment of insertion of that query into the query history). And by 
definition of Lucky(Q), the wish lists never exceed length 2a as long -iLucky(Q) 
holds. 

Let NormalWishGrantedT,i, NormalWishGrantedB,* be defined as in (the proof 
of) Theorem 0 Then, using exactly the same analysis as in the proof of Theorem 
01 we have that 

Pr[NormalWishGrantedT,i] < 2/IV, Pr[NormalWishGrantedB,i] < 2/N 
and that 


Pr[WinNormal(Q) A -Tucky(Q)] < 8 a/N. (10) 

Then also arguing word for word as in the proof of Theorem 01 we find that 

Pr[WinSuper 1 (Q) A -Lucky(Q)] < 8 a/N. (11) 

We finally bound Pr[WinSuper 2 (Q) A -iLucky(Q)]. Note the event WinSuper 2 (Q) 
can only occur when a super query occurs for a key of the form L\\L, and when 
that super query results in the triples (U © L,L\\L,L), (L, L\\L, L © V) being 
added to the query history. The probability that E L \\ L (U © L) = L is at most 
2 /IV, and, conditioned on the event that E L \\ L (U ®L) = L, the probability that 
El\\l{L) = L © V is at most l/(N/2 — 1). Since at most 2 q/N super queries 
occur, we thus find that 

Pr[WinSuper 2 (Q) A ^Lucky(Q)] < Pr[WinSuper 2 (Q)] < Aq/N 2 (N/2 - 1).(12) 
The theorem follows by summing Q , (11711) , (ITTl) and (IT2I1 . □ 

As for Abreast-DM, we have the following corollary (with the same proof): 
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Corollary 2. We have 


Adv^ r n e (2 2 "- 10 )<l/2 + O (l) 
where the o(l) term tends to 0 as n — > oo. 


7 Conclusion 

In this work, we developed and applied new techniques for determining lower 
bounds with respect to preimage resistance. As opposed to existing techniques, 
statements on the security beyond the birthday bound are possible. We ap- 
plied successfully these techniques to the three popular double-block-length, 
double-call, block cipher-based compression functions, these being Abreast-DM, 
Tandem-DM and Hirose’s scheme. 

Although these techniques allow for proving asymptotically optimal bounds, 
these bounds differ by constant factors from the best possible bound. This raises 
the question whether more accurate bounds can be derived, possibly revealing 
differences in the preimage resistance between the three constructions. A related 
question is the estimation of non-trivial upper bounds on the preimage resistance. 
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Abstract. The hash function JH (23 is one of the five finalists of the 
NIST SHA-3 hash competition. It has been recently tweaked for the final 
by increasing its number of rounds from 35.5 to 42. The previously best 
known results on JH were semi-free-start near-collisions up to 22 rounds 
using multi-inbound rebound attacks. In this paper we provide a new dif- 
ferential path on 32 rounds. Using this path, we are able to build various 
semi-free-start internal-state near-collisions and the maximum number 
of rounds that we achieved is up to 37 rounds on 986 bits. Moreover, we 
build distinguishers in the full 42-round internal permutation. These are, 
to our knowledge, the first results faster than generic attack on the full 
internal permutation of JH42, the finalist version. These distinguishers 
also apply to the compression function. 

Keywords: hash function, rebound attack, JH, cryptanalysis, SHA-3. 

1 Introduction 

A cryptographic hash function is a one way mathematical function that takes 
a message of arbitrary length as input and produces an output of fixed length, 
which is commonly called a fingerprint or message digest. Hash functions are 
fundamental components of many cryptographic applications such as digital sig- 
natures, authentication, key derivation, random number generation, etc. So, in 
terms of security any hash function should be preimage, second-preimage and 
collision resistant. 

Most of the recent hash functions use either compression functions or internal 
permutations as building blocks in their design. In addition to the main prop- 
erties mentioned above, some ideal properties should also be satisfied for the 
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building blocks. This means that the algorithm should not have any structural 
weaknesses and should not be distinguishable from a random oracle. The ab- 
sence of these properties on building blocks may not impact the security claims 
of the hash function immediately but it helps to point out the potential flaws in 
the design. 

Since many of the hash standards jl fill llj have been broken in recent years, 
the National Institute of Standards and Technology (NIST) announced a com- 
petition to replace the current standard SHA-2 with a new algorithm SHA-3. 
The hash function JH designed by Hongjun Wu, is one of the five finalists 
of this competition. It is a very simple design and efficient in both software and 
hardware. JH supports four different hash sizes: 224, 256, 384 and 512-bit. It has 
been tweaked from the second round to the final round by increasing its number 
of rounds from 35.5 to 42. The new version is called JH42. 

Related Work. We recall here the previously best known results on JH. A 
marginal preimage attack on the 512-bits hash function with a complexity in 
time and memory of 2 507 was presented in 0. Several multi- inbound rebound 
attacks were presented in D3, providing in particular a semi-free-start collision 
for 16 rounds with a complexity of 2 190 in time and 2 104 in memory and a semi- 
free-start near-collision for 22 rounds of compression function with a complexity 
of 2 168 in time and 2 143 in memory. In fl 21 Sec. 4.1], improved complexities for 
these rebound attacks were provided: 2 97 in time and memory for the 16 round 
semi-free-start collision and 2 96 in time and memory for the 22 rounds semi-free- 
start near-collision for compression function. 


Our Contributions. In this paper we apply, as in ESI, a multi-inbound re- 
bound attack, using 6 inbounds that cover rounds from 0 to 32. We first find 
partial solutions for the differential part of the path by using the ideas from [T3| . 
Due to increased number of rounds compared with the previous attacks, the 
differential path will have several highly active peaks, instead of one as in E5I 
This means that, while in the previous attacks finding the whole solution for the 
path could be easily done without contradicting any of the already fixed values 
from the inbounds, now finding the complete solution is the most expensive part. 
We propose here an algorithm that allows us to find whole solutions for rounds 
from 4 to 26 with an average complexity of 2 64 . By repeating the algorithm, the 
attack can be started from round 0 and extended up to 37 rounds for building 
semi-free-start near-collisions on the internal state, since we have enough degrees 
of freedom. Based on the same differential characteristic, we also present distin- 
guishers for 42 rounds of the internal permutation which is the first distinguisher 
on internal permutation faster than generic attack to the best of our knowledge. 
We summarize our main results in Table 0 

This paper is organized as follows: In Section 0 we give a brief description of 
the JH hash function, its properties and an overview of the rebound attack. In 
Section 0 we first describe the main idea of our attack and then give the semi- 
free internal near-collision results on the tweaked version JH42. Based on this 
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Table 1. Comparison of best attack results on JH (sfs: semi-free-start) 


target 

rounds 

comp. 

memory 

attack type 

generic 

sect. 

hash function 

16 

2 190 

2 104 

sfs collision 

2 256 

rra 

hash function 

16 

2 96.1 

2 96.1 

sfs collision 

2 256 

m 

comp, function 

19-22 

2 168 

2 143.7 

sfs near-collision 

2 236 

ca 

comp, function 

19-22 

2 95.6 

2 95.6 

sfs near-collision 

2 236 

12 

comp, function 

26 

2 112 

2 57.6 

sfs near-collision 

2 341.45 

m 

comp, function 

32 

2 304 

2 57.6 

sfs near-collision 

2 437.13 

si 

comp, function 

36 

2 352 

2 57.6 

sfs near-collision 

2 437.13 

si 

comp, function 

37 

2 352 

2 57.6 

sfs near-collision 

2 396.7 

SI 

internal perm. 

42 

2 304 

2 57.6 

distinguisher 

2 7°5 

m 

internal perm. 

42 

2 352 

2 57.6 

distinguisher 

2 762 

SI 


results, we describe a distinguisher in Section 0] for the full internal permutation, 
that also applies to the full compression function. Finally, we conclude the paper 
and summarize our results in Section E3 


2 Preliminaries 

2.1 The JH42 Hash Function 

The hash function JH is an iterative hash function that accepts message blocks 
of 512 bits and produces a hash value of 224, 256, 384 and 512 bits. The message 
is padded to be a multiple of 512 bits. The bit T’ is appended to the end of the 
message, followed by 384 — 1 + (—1 mod 512) zero bits. Finally, a 128-bit block is 
appended which is the length of the message, l, represented in big endian form. 
Note that this scheme guarantees that at least 512 additional bits are padded. 

In each iteration, the compression function F d , given in Figured is used to 
update the 2 d+2 bits of the state Hi-\ as follows: 

Hi = F d {Hi_ % , Mi) 

where is the previous chaining value and M* is the current message block. 
The compression function F d is defined as follows: 

F d {Hi_ u Mi) = E d {Hi-x © (MiHO 2 ^ 1 )) © (0 2d+1 \\Mi) 

Here, E d is a permutation and is composed of an initial grouping of bits followed 
by 6 (d — 1) rounds, plus a final degrouping of bits. The grouping operation 
arranges bits in a way that the input to each S-Box has two bits from the 
message part and two bits from the chaining value. In each round, the input is 
divided into 2 d words and then each word passes through an S-Box. JH uses 
two 4-bit-to-4-bit S-Boxes (SO and SI) and every round constant bit selects 
which S-Boxes are used. Then two consecutive words pass through the linear 
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Fig. 1. The compression function F,i that transforms 2 d+2 bits treated as 2 d words of 
four bits 

transformation L, which is based on a [4,2,3] Maximum Distance Separable 
(MDS) code over GF{ 2 4 ). Finally all words are permuted by the permutation 
Pd- After the degrouping operation each bit returns to its original position. 

The initial hash value Hq is set depending on the message digest size. The 
first two bytes of are set as the message digest size, and the rest of the bytes 
of .ff_i are set as zero. Then, H 0 = F d (H_i, 0). Finally, the message digest is 
generated by truncating H N where N is the number of blocks in the padded 
message, i.e, the last X bits of H N are given as the message digest of JH-X 
where X = 224, 256, 384 and 512. 

The official submitted version of JH42 has d = 8 and so the number of rounds 
is 42 and the size of the internal state is 1024 bits. Then, from now on, we will 
only consider Eg. For a more detailed information we refer to the specification 

of JH EDI ■ 

2.2 Properties of the Linear Transformation L 

Since the linear transformation L implements a [4, 2, 3] MDS code, any difference 
in one of the words of the input (output) will result in a difference in two words 
of the output (input). For a fixed L transformation, if one tries all possible 2 16 
pairs, the number of pairs satisfying the condition 2 — > 1 or 1 — > 2 is 3840, 
which gives a probability of 3840/65536 « 2 -4 09 . Note that, if the words are 
arranged in a way that they will be both active this probability increases to 
3840/57600 w 2 -3 - 91 . For the latter case, if both words remain active (2 — ► 2), 
the probability is 49920/57600 « 2 -0 21 . 

2.3 Observations on the Compression Function 

The grouping of bits at the beginning of the compression function assures that 
the input of every first layer S-Box is xor-ed with two message bits. Similarly, 
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the output of each S-Box is xor-ed with two message bits. Therefore, for a ran- 
dom non-zero Tbit difference, the probability that this difference is related to a 
message is 3/15 sw 2 -232 . 

The bit-slice implementation of F ( i uses d — 1 different round functions. The 
main difference between these round functions is the permutation function. In 
each round permutation, the odd bits are swapped by 2 r mod (d — 1) where r 
is the round number. Therefore, for the same input passing through multiple 
rounds, the output is identical to the output of the original round function for 
the a - (d— l)-th round where a is any integer. 

2.4 The Rebound Attack 

The rebound attack was introduced by Mendel et al. j 1 ( )j . The two main steps 
of the attack are called inbound phase and outbound phase. In the inbound 
phase, the available degrees of freedom are used to connect the middle rounds by 
using the match-in-the-middle technique and in the outbound phase connected 
truncated differentials are computed in both forward and backward direction. 

This attack has been first used for the cryptanalysis of reduced versions of 
Whirlpool and Grpstl, and then extended to obtain distinguishers for the full 
Whirlpool compression function j0|. Later, linearized match-in-the-middle and 
start-from-the-middle techniques are introduced by Mendel et al. jOJ to improve 
the rebound attack. Moreover, a sparse truncated differential path and state 
is used in the attack on LANE by Matusiewicz et al. jB| rather than using 
a full active state in the matching part of the attack. Then, these techniques 
were used to improve the results on AES-based algorithms in the following pa- 
pers: |2I3I5I1 111411 711 Hj . 


3 Semi-free-start Internal Near- Collisions 

In this section, we first present an outline for the rebound attack on reduced 
round versions of JH for all hash sizes. We use a differential characteristic that 
covers 32 rounds, and apply the start-from-the-middle technique by using six 
inbound phases with partially active states. We first describe how to solve the 
multi-inbound phase for the active bytes. Contrary to previous attacks on JH, 
we now have more fixed values from the inbound phases. So, in order to find a 
complete solution, we need to merge these fixed values without contradicting any 
of them. Therefore, we describe next how to match the passive bytes. Finally, 
we analyze the outbound part. 


3.1 Matching the Active Bytes 

Multi-inbound Phase. The multi-inbound phase of the attack covers 32 
rounds and is composed of two parts. In the first part, we apply the start-from- 
the-middle-technique six times for rounds 0 — 4, 4 — 10, 10 — 16, 16 — 20, 20 — 26 
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Fig. 2. Differential characteristic for 32 rounds of JH Compression Function (bit-slice 
representation) 

and 26 — 32. In the second part, we connect the resulting active bytes (hence 
the corresponding state values) by a match-in-the-middle step. The number of 
active S-Boxes in each of the sets is: 


4<— 8<— 16— >8— >4 (1) 

4 <- 8 <— 16 <— 32 <— 64 -> 32 -► 16 (2) 

16 <— 32 <— 64 — > 32 — > 16 — > 8 — ► 4 (3) 

4<— 8*— 16— >8— »4 (4) 

4 <— 8 <- 16 <- 32 <- 64 -> 32 -> 16 (5) 

16 <— 32 <— 64 — > 32 — » 16 — > 8 — » 4 (6) 


Here, the arrows represent the direction of the computations for the inbound 
phases and for a detailed sketch we refer to Figure |3 We start from the middle 
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and then propagate outwards by computing the cross-productQ of the sets and 
using the filtering conditions. For each inbound we try all possible 2 16 pairs in 
Step 0. The number of sets, the bit length of the middle values (size) of each list, 
and the number of filtering conditions on words followed by the number of pairs 
in each set are given in Table |2| The complexities given in the Table |21 are not 
optimized yet, we will describe the improved complexities later in Section EO 


Merging Inbound Phases. The remaining pairs at inbound i are stored on 
list Li. Connecting the six lists is performed in three steps as follows: 

1. Whenever a pair is obtained from set 2, we check whether it exists in L 3 or 
not. If it does, another check is done for L\. Since we have 2 23 - 44 and 2 83 ' 96 
elements in lists 1 and 3 respectively, 2 83 - 96 pairs passing the second inbound 
phase, and 32-bit and 128-bit conditions for the matches, the expected num- 
ber of remaining pairs is 2 23 - 44 • 2 -32 • (2 83 - 96 • 2 -128 • 2 83 - 96 ) = 2 31 36 . We 
store these these pairs in list A. 

2. Similarly, whenever a pair is obtained from set 5, we check whether it exists 
in Lq or not. If it does, another check is done for I/ 4 . Since we have 2 32 ' 72 
and 2 83 96 elements in lists 4 and 6 respectively, 2 80 pairs passing the fifth in- 
bound phase, and 32-bit and 128-bit conditions for the matches, the expected 
number of remaining pairs is 2 32 72 • 2 “ 32 • (2 83 96 • 2 “ 128 • 2 83 96 ) = 2 40 64 . We 
store these pairs in list B. 

3. Last step is merging these sets A and B. We have 2 31,36 elements in A and 
240.64 e ] emen f jS j n b and 32 bits of condition. Therefore the total expected 
number of remaining pairs is 2 31 - 36 ■ 2 -32 ■ 2 40 - 64 = 2 40 . 


Improving the complexity of finding a solution for the differential part. 

We have described how to obtain the existing 2 40 solutions for the differential 
part. We are going to describe here a better way of doing the inbounds, as 
proposed in P21 Sec. 4.1]. This new technique allows us to reduce the previous 
complexity from 2 99 ' 70 in time and 2 83 ' 96 in memory to 2 69 6 in time and 2 676 
in memory. As in our further analysis we will just use one solution (and not 2 40 ) 
for the differential part, we will adapt the values being able to finally reduce the 
complexity of this part of the attack to 2 59 6 in time and 2 57 6 in memory. This 
memory is the memory bottleneck of all the analysis presented in this paper. 

1. We consider the six inbounds as described in the previous section, with the 
difference that, for inbounds 2,3,5 and 6 we will not perform the last step, 
but instead we obtain for each inbound i e { 2 , 3, 5, 6 } two lists La,i and L B ,i 
as a result, each of size 2 49,80 associated to half of the corresponding differ- 
ential path. As mentioned before, we are only looking to find one solution 

1 cross-product is an operation on two arrays that results in another array whose 
elements are obtained by combining each element in the first array with every element 
in the second array. 
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Table 2. Overview of inbound phases of the attack on 32 rounds of JH 



Step 

Size 

Sets 

Filtering 

Pairs 


Complexity 





Conditions 

Remaining 

Backwards Forwards 


0 

8 

8 

1 

2 11.91 

- 

2 ie 


1 

16 

4 

2 

2 16 

2 23.91 

— 

3 

2 

32 

2 

2 

2 24.18 

2 32.09 

- 


3 

64 

1 

4 

2 32.72 

2 48.46 

_ 


4 

64 

1 

43 

2 23.44 




0 

8 

32 

1 

2 11.91 

- 

2 16 


1 

2 

16 

32 

16 

8 

2 

2 

2 16 

2 23.91 

332.09 

0 

3 

64 

4 

4 

2 32.72 

2 48.46 

- 

£ 

4 

128 

2 

4 

2 49.80 

2 65.54 

- 


5 

256 

1 

4 

2 83.96 

2 99.70 

- 


0 

8 

32 

1 

2 11'91 

- 

2 ie 

CO 

1 

16 

16 

2 

2 16 

2 23.91 

— 

2 

2 

3 

32 

64 

8 

4 

2 

4 

2 32.72 

2 32.09 

348.46 


4 

128 

2 

4 

2 49.80 

- 

365.54 


5 

256 

1 

4 

2 83.96 

- 

399.70 


0 

8 

8 

1 

2 11.91 

- 

2 16 

§ 

1 

16 

4 

2 

2 16 

2 23.91 

- 

0 

2 

32 

2 

2 

2 24.18 

2 32.09 

- 

3 

3 

64 

1 

4 

2 32-72 

2 48.46 

- 


0 

8 

32 

1 

2 11.91 

- 

2 16 

10 

1 

16 

16 

2 

2 16 

2 23.91 

- 

a 

2 

32 

8 

2 

2 24.18 

- 

332.09 

I 

3 

64 

4 

4 

2 32.72 

2 48.26 

- 

►3 

4 

128 

2 

4 

2 49.80 

2 65.54 

- 


5 

256 

1 

4 

2 83.96 

399.70 

- 


0 

8 

32 

1 

2 11.91 

- 

2 16 

TJ 

5 

1 

2 

16 

32 

16 

8 

2 

2 

2 16 

2 24.18 

323.91 

332.O 

: 


3 

64 

4 

4 

2 32.72 

— 

2 48.46 

£ 

4 

128 

2 

4 

2 49.80 

- 

366.54 


5 

256 

1 

4 

2 83.96 

- 

399.70 


a Check whether the pairs satisfy the desired input difference 


for the whole differential path. Then, instead of the 2 49 ' 80 existing solutions 
for each list, we can consider 2 44,8 elements on each list. 

2. First, we merge lists La, 2 and La, 3- We have 16-bit conditions on values 
and 16-bit conditions on differences. We obtain a new list La , 23 of size 
244.8+44.8-32 _ 2 57 - 6 . We do the same with L B ,2 and L B ,3 to obtain L Bj 23. 
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Note that this list does not need to be stored, as we can perform the following 
step whenever an element is found. 

3. In order to find a whole solution for the differential part of inbounds 2 and 
3, one pair of elements from La , 23 and from Lb, 23 still needs to satisfy the 
following conditions: 32 bits from the parts La, 2 and Lb, 3, 32 bits from 
Lb, 2 and La, 3, 3.91 x 4 from the step 5 of inbound 2 that we have not 
yet verified and 3.91 x 4 from step 5 of inbound 3 that is not yet verified 
either. Therefore, we have 95.28-bit conditions in total to merge La, 23 and 
Lb, 23. For each element in Lb, 23 we can check with constant cost if the 
corresponding element appears in La, 23 (it can be done by a lookup in a 
table, representing the differential transitions of L and next by a lookup in 
the list La , 23 to see if the wanted elements appear. See |13ll2j and Figure El 
for more details). When we find a good pair, we store it in the list L23 
that has a size of about 2 1992 elements satisfying the differential part of 
rounds from 4 to 16. The cost of this step is then 2 57 6+1 in time and 2 59 6 
in memory. 

4. Do the same with inbounds 5 and 6, to obtain list L56 of size 2 19 92 , with a 
cost of 2 57 6+1 in time and 2 57 6 in memory. 

5. Merge the solutions obtained in the first inbound with the ones in L23, ob- 
taining a new set L123 of size 2 19 - 92 + 23 - 44-32 = 2 11 36 . 

6. Merge the solutions obtained from step 4 with list L56 obtaining a new one, 
L456 of size 2 19 - 92 + 32 - 72-32 = 2 20 - 64 . 

7. Finally, merging L123 and L456 gives 2 11 - 36 + 20 - 64-32 = 1 partial solution for 
the differential part of the path from round 0 to round 32. 

The complexity of obtaining one partial solution for rounds from 0 to 32 is dom- 
inated by Steps 2 — 4 of the algorithm. As a result, the complexity of matching 
the active bytes becomes 2 59 6 in time and 2 57 6 in memory. 

3.2 Matching the Passive Bytes 

In Figure E| colored boxes denote the S-boxes whose values have already been 
fixed from the inbound phases. Note that, we have not treated the passive bits 
yet (i.e., found the remaining values that would complete the path). We will 
propose a way of finding 2 32 solutions that verify the path from rounds 4 to 26 
with time complexity 2 96 and memory complexity 2 51,58 . This can be done in 
three steps as follows: 

1. (Rounds 10 to 14): The sets of groups of 8 bits denoted by a, b, c, d, e, / in 
round 14 are independent of each other in this part of the path. In round 
10, 32 bits are already fixed for each of these sets (groups of 4 bits denoted 
by A, B, C, D, E, F). By using all possible values of the remaining 96 passive 
bits (32 bits not fixed from A, B, C, D, E, F plus 64 from the remaining state 
at round 10), we can easily compute a list of 2 96 elements with cost 2 96 that 
satisfy the 32 bit conditions for each of the groups. 
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(filled) and Lb, 2, blue boxes (below) denote the sets La, 3 and Lb, 3 (filled) 
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2. (Rounds 14 to 20): In round 20, we have 256 bits (green S-boxes ■) whose 
values are fixed from the solutions of the second inbound phase. We can 
divide the state in round 19 (until the state in round 14) in 4 independent 
parts ( m,n,o,p ). In Figure QJ the fixed bits coming from round 20 are de- 
noted by green lines and the ones of the first inbound phase are denoted 
in blue . Note that the three parts to, n, o are identical, while p is dif- 
ferent since there are some differences and some additional fixed values in 
it. 


We fix the parts to and n to some values that satisfy all the conditions 
of the fixed bits in rounds 19 and 14. This can be done as follows: Similar 
to what we have done in step 1, we can divide the state of rounds 16 — 19 
(for each part separately) into four groups ( x,y,z,u ) such that they are 
independent of each other when computing forwards. 

In round 16, each group has 16 bits whose values have already been fixed 
and 48 bits of freedom. We see that each group affects only one fourth of the 
green fines (16 bits in total) in round 19. Therefore, there exist 2 48-16 = 2 32 
possibilities for each group x, y, z, u but we just need one. This one can then 
be found with a cost of about 2 16 . 

3. (Merging): Each of the sets L a , . . . ,Lf has 2 96 possible values from step 1, 
and fixing to and n fixes 64 bits for each of them in round 14. This gives us 
in average 2 96-64 = 2 32 possible values for each set in the half of the state 
associated to o and p in round 14. 

For the part p we use the same idea explained in step 2. Group x is 
completely fixed due to the differential characteristic, and only the groups 
y,z,u have freedom, so there exists (2 32 ) 3 = 2 96 possibilities. For each pos- 
sibility, we compute the part of state in round 14 associated to p. We have 
32 bits of condition for each of lists, and in average 2 32 values are associated 
to each fist. Thus, for each of the computed values, we will have only one 
remaining element that will determine the values at positions a — f in the 
part o. 

Now, we have 2 96 possible o values. The probability that a fixed value 
verifies the conditions of o in round 19 is (2 -4 ) 16 = 2 -64 . Therefore, we 
obtain 2 96-64 = 2 32 solutions that verify the whole path from round 4 to 
round 26 with a complexity in time of 2 96 . 

Note that we do not need to store the lists L a , ... ,Lf of elements from round 
14 each of size 2 96 but we can instead store for each of them two lists of size 
2 48 corresponding to the upper and down halves of the corresponding groups 
in state 13. Then, when fixing a value of m and n we can check with a cost of 
2 32 which will be the list of 2 32 values for o and p that we obtained in step 3. 
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Finally, we have obtained 2 32 complete solutions for the path from 4 to 26 with 
a cost of 2 96 in time, and 6 • 2 • 2 48 « 2 51 ' 58 in memory. 

Semi-free-start near-collisions up to 32 rounds: Up to now, we have found 
solutions for the passive bytes from rounds 4 — 26. If we want a solution for the 
path from round 0 to round 26, we will have to repeat the previous procedure of 
matching the passive bytes 2 16 times (as the probability of passing from round 
0 to 4 is 2 -48 and we have 2 32 pairs). Then, we can find a solution for rounds 
0 — 26 with complexity 2 112 in time. In order to extend this result to 32 rounds, 
we have to repeat the previous procedure 2 192 times (since we have 64 and 128 
bits of condition from rounds 26 and 27 respectively) . Therefore, the complexity 
for finding a complete solutions for rounds from 0 to 32 is 2 112 • 2 192 = 2 304 in 
time. 

Note that, we still have enough degrees of freedom. In step 1, we started with 
768 bits (128 x 6 from the groups a — f) in round 14 and matched 192 bits (32 x 6 
for A — F) in round 10. In Step 2, we have 48 bits in round 16 coming from the 
fourth inbound phase and we matched another 240 bits from the fifth inbound 
phase in round 19. So in total we have 768 — 192 — 48 — 240 = 288 bits of degrees 
of freedom remaining. 


3.3 Outbound Phase 

The outbound phase of the attack is composed of 5 rounds in the forward direc- 
tion. A detailed schema of this trail is shown in Figure 0 in appendix, and for the 
pairs that satisfy the inbound phase, we expect to see the following differential 
trail in the outbound phase: 

Inbound Phase — >4— >8— >16— >8— >4— >8 

Semi-free-start near-collisions up to 37 rounds. For 32 rounds of the JH 
compression function, we obtain a semi-free-start near-collision for 1002 bits. We 
can simply increase the number of rounds by proceeding forwards in the out- 
bound phase. Note that, we have an additional probability of 2 -32 x 2 -16 coming 
from the eight filtering conditions in round 34 and the four filtering conditions 
in round 35. Thus, the complexity of the active part of the attack remains the 
same: 2 59 6 in time and 2 57 6 in memory. This is the case as one solution for the 
differential part is enough for the attack, as it will have different values at the 
bits with conditions in the outbound part when the passive part is modified. 
The complexity of the passive part becomes 2 304 ■ 2 48 = 2 352 in time and 2 51 " 58 
in memory. 

The details can be seen in Table 01 We also take into account the colliding 
bits that we obtain at the output of the compression function after the final 
degrouping with the differences from the message. 
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Table 3. Comparison of complexity of the generic attack for near-collisions and our 
results 


# Rounds 

# Colliding 

Generic Attack 
Complexity 

Our Results 

23 

892 

2 230.51 

2 59.6 

24-26 

762 

2 99.18 

2 59 -6 0 

26 

960 

2 341.45 

2 112 

27 

896 

2 236.06 

2 112 

32 

1002 

2 437.12 

2 304 

33 

986 

2 396.77 

2 304 

34 

954 

2 329.97 

2 304 

35 

986 

2 396.77 

2 336 

36 

1002 

2 437.12 

2 352 

37 

986 

2 396.77 

2 352 

38 

928 

2 284.45 

2 352 


“ Obtained directly from the solutions of the active part, without need of matching 

the passive bits 

4 Distinguishers on JH 

Indifferentiability is considered to be a desirable property of any secure hash 
function design. Moreover, for many of the designs, the indifferentiability proofs 
for the mode of operation are based on the assumption that the underlying 
permutation (function) is ideal (i.e., random permutation). This is the case 
of the indifferentiability proof of JH [TJ, that supposes that E r j is a random 
permutation. 

In this section, we present a distinguisher for Eg showing that it is distinguish- 
able form a random permutation. Using the differential path that we presented 
in the previous section, we can build the distinguishers on the full 42 rounds of 
the internal permutation Eg with no additional complexity. As a result of our 
distinguisher, the proof from [TJ does not apply to JH as the assumption of Eg 
behaving like random does not hold. Next, we explain how these distinguish- 
ers on the internal permutation can be easily extended to distinguishers on the 
compression function. 

There exists also a known trivial distinguisher on the construction of the 
compression function of JH: If the chaining value has a difference that can 
be cancelled by the message block, then the output will have a difference di- 
rectly related to the one coming from the message block. This implies that both 
the message and the chaining values have differences. Contrary to the trivial 
one, our compression function distinguisher exploits the properties of the inter- 
nal permutation and only needs differences in the message or in the chaining 
value. 
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4.1 Distinguishes on the Reduced Round Internal Permutation 

Let us remark here briefly that if we find solutions for rounds 4 to 20, and then 
let them spread freely backward (difference in 64 bits) and forward (difference 
in 256 bits), we can obtain a distinguisher for 26 rounds with a much lower 
complexity: 2 59,6 in time and 2 57 6 in memory (the cost of the differential part). 
As in this paper the aim is reaching a higher number of rounds, we do not go 
further into the details. 


4.2 Distinguishers on the Full Internal Permutation 

In the previous sections we showed that a solution for 37 rounds can be obtained 
with a time complexity of 2 352 in time and 2 57 ' 6 in memory. In Figure El from the 
appendix, we see how these active words diffuse to the state after 42 rounds with 
probability one. Therefore, before the degrouping operation we have 64 active 
and 192 passive words in the state. The number of active and passive bits still 
remain the same after the degrouping operation. It is important to remark that 
the positions of the active bits are fixed, also after the degrouping operation. 

We can then build a distinguisher that will distinguish the 42-round permuta- 
tion Eg from a random permutation using this path. This distinguisher aims at 
finding a pair of input states ( A , A') such that Eg (A) ® E S (A') collide in the 768 
bits mentioned above. Let A®A' = A\ correspond to the input difference of the 
differential path, then |Zfy| = 8 bits. Similarly, let B = Eg(A) and B' = Eg(A'), 
then the output difference is B ® B’ = Zfy where A 2 = 256. 

In the case of a random function, we calculate the complexity of such a dis- 
tinguisher as follows: We fix the values of the passive bits in the input; but not 
the ones of the active bits. Then, we have 2^ Al possibilities for the values from 
the active bits. We compute the output of Eg for each one of these values and 
store them in a list. From this list we can obtain ( 2 2 1 ) pairs with the given 
input difference pattern. The probability of satisfying the desired output differ- 
ence pattern is 2l^ 2 l — 1024 for each pair, so we repeat the procedure with a new 
value for the input passive bits until we find a solution. The time complexity of 
finding such an input pair will be: 


2(l^il-!) . (2l^il - 1) • 2l^|- 1024 ' 

Instead, in our case the complexity of finding such an input pair is the complexity 
of finding a solution for the path, that is 2 352 in time and 2 57 ' 6 in memory. 

Another distinguisher of Eg can be built if we consider the scenario where the 
differential path for rounds 0 — 4 does not need to be verified, i.e., A-, = 64. 
In this case, we consider that from round 4 to 0 we obtain the differences that 
propagate with probability one. Therefore, the matching of the passive part does 
not need to be repeated 2 208 times but only 2 160 (as we do not need 2 48 extra 
repetitions for verifying rounds 0 to 4). The complexity of this distinguisher will 
then be 2 304 , and provides a pair of inputs A and A ’ that produce an output 
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with 768 colliding bits as the ones represented in Figure 0 from appendix. The 
complexity of such a generic distinguisher would be 7 ea = 2 705 , while 

in our case is 2 304 in time and 2 57 ' 6 in memory. 

4.3 Distinguishers on the Full Compression Function 

We should emphasize that our distinguishers on Eg can be easily converted to a 
distinguisher on the full compression function of JH42. We only need to xor this 
message difference to the output of Eg as specified. 

For our first distinguisher, the input difference is already arranged such that 
we only have difference in the message. These active bits coming from the mes- 
sage coincide with the active bits in the output at the xor operation. As a result, 
we have the same 768 passive bits. The same applies for our second distinguisher 
when we have differences only in the chaining value. 

5 Conclusion 

In this paper, we have presented semi-free-start internal near-collisions up to 37 
rounds by using rebound attack techniques. We first obtained a 960-bit semi- 
free-start near-collision for 26 rounds of the JH compression function with a time 
complexity of 2 112 and a memory complexity of 2 57 6 . We then extended this to 
986-bit semi-free-start near-collision for 37 rounds by repeating the algorithm. 
Time complexity of the attack is increased to 2 352 and the memory complexity 
remains the same. We also presented semi-free-start near-collision results for 
intermediate rounds 26 — 37 in Table 0 Our findings are summarized in Table 0 
Even more, we have presented distinguishers on the full 42 rounds of the in- 
ternal permutation Eg of the tweaked SHA-3 finalist JH. The best distinguisher 
has a time complexity of 2 304 in time and 2 57 6 in memory and provides solutions 
for the differential path on the 42 rounds. Obtaining such a pair of inputs pro- 
ducing a same truncated differential in the output for a random function would 
cost 2 705 in time. Our internal permutation distinguishers can easily be extended 
to compression function distinguishers with the same complexity. 

Although our results do not present a threat to the security of the JH hash 
function, they invalidate the JH indifferentiability proof presented in Q . 
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Abstract. In this work, we introduce a new non-random property for 
hash/compression functions using the theory of higher order differen- 
tials. Based on this, we show a second-order differential collision for the 
compression function of SHA-256 reduced to 47 out of 64 steps with 
practical complexity. We have implemented the attack and provide an 
example. Our results suggest that the security margin of SHA-256 is 
much lower than the security margin of most of the SHA-3 finalists in 
this setting. The techniques employed in this attack are based on a rect- 
angle/boomerang approach and cover advanced search algorithms for 
good characteristics and message modification techniques. Our analysis 
also exposes flaws in all of the previously published related-key rectangle 
attacks on the SHACAL-2 block cipher, which is based on SHA-256. We 
provide valid rectangles for 48 steps of SHACAL-2. 

Keywords: Hash functions, higher-order differentials, non-randomness, 
SHA-256, SHACAL-2. 


1 Introduction 

The significant advances in the field of hash function research that have been 
made in the recent years, had a formative influence on the landscape of hash func- 
tions. The analysis of MD5 and SHA-1 has convinced many cryptographers that 
these widely deployed hash functions can no longer be considered secure |39l4Uj . 
As a consequence, people are evaluating alternative hash functions in the SHA-3 
initiative organized by NIST m- During this ongoing evaluation, not only the 
three classical security requirements (preimage resistance, 2nd preimage resis- 
tance and collision resistance) are considered. Researchers look at (semi-) free- 
start collisions, near-collisions, etc. Whenever a behavior different from the one 
expected of a ’random oracle’ can be demonstrated for a new hash function, it is 
considered suspect, and so are the weaknesses that are demonstrated only for the 
compression function. In light of this, for four out of the five third round SHA-3 
candidates the best attacks are in the framework of distinguishers: boomerang 
distinguisher for BLAKE jS], differential distinguisher for Grpstl |32| . zero-sum 
distinguisher on Keccak |Bj and rotational rebound distinguisher for Skein H3J- 
With the cryptographic community joining forces in the SHA-3 competition, 
the SHA-2 family gets considerably less attention. Apart from being marked 
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as ‘relying on the same design principle as SHA-1 and MD5’, the best attack 
to date on SHA-256 is a collision attack for 24 out of 64 steps with practical 
complexity |1 3l33j and a preimage attack on 45 steps [Hi having a complexity 
of 2 255,5 . 

Higher-order differentials have been introduced by Lai in (2U and first applied 
to block ciphers by Knudsen in |2Qj. The application to stream ciphers was pro- 
posed by Dinur and Shamir in [EH and Vielhaber in .'55 . First attempts to apply 
these strategies to hash functions were published in [21 ■ Recently, higher-order 
differential attacks have been applied to several hash functions submitted to the 
SHA-3 initiative organized by NIST such as BLAKE 0, Hamsi [Z|, Keccak jB|, 
and Luffa [221 ■ 

In this work, we present a second-order differential collision for the SHA-256 
compression function on 47 out of 64 steps having practical complexity. The 
attack is an application of higher-order differentials on hash functions. Table 01 
shows the resulting example. 

Since our attack technique resembles boomerang/rectangle attacks, known 
from the cryptanalysis of block ciphers, we use a strict criterion for checking 
that the switch in the middle does not contain any contradictions that can 
appear due to the independency assumption of the characteristics used in the 
rectangle. We show that all the previous related-key rectangle distinguishes for 
SHACAL-2 have a common flaw in the switch due to these assumptions and 
present a rectangle distinguisher for 48 steps that passes our check. 

Our analysis shows that the compression functions exhibit non-random prop- 
erties, though they do not lead to collision/preimage attacks on the hash func- 
tions. Nevertheless, the attacks give a clear indication that if we compare the 
security of SHA-256 to the security of the third round SHA-3 candidates, in the 
this setting, then SHA-256 has one of the lowest security margins. 

2 Higher-Order Differential Collisions for Compression 
Functions 

In this section, we give a high-level description of the attack. It is an application 
of higher-order differential cryptanalysis on hash functions. While a standard 
differential attack exploits the propagation of the difference between a pair of 
inputs to the corresponding output differences, a higher-order differential attack 
exploits the propagation of the difference between differences. 

Higher-order differential cryptanalysis was introduced by Lai in m and sub- 
sequently applied by Knudsen in m- We recall the basic definitions that we will 
use in the subsequent sections. 

Definition 1 . Let (S, +) and (T, +) be abelian groups. For a function f:S—> 
T, the derivative at a point a\ £ S is defined as 

Aai )f(y) = f(y + a i)~ f(y) ■ (!) 

The i-th derivative of f at (ai, 02, . . . , aj) is then recursively defined as 
*-!>/(»)) • 


(2) 
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Definition 2. A one round differential of order i for a function f:S^>Tis 
an ( i + 1 )-tuple ( 01 , 02 , . . . , a*; f>) such that 

A {au ... m) f(y) = b. (3) 

When applying differential cryptanalysis to a hash function, a collision for the 
hash function corresponds to a pair of inputs with output difference zero. Sim- 
ilarly, when using higher-order differentials we define a higher-order differential 
collision for a function as follows. 

Definition 3. An i-th-order differential collision for f:S—*T is an i-tuple 
(oi, a 2 , ■ ■ ■ , af) together with a value y such that 

A {ai _ ai) f(y)=0. (4) 

Note that the common definition of a collision for hash functions corresponds to 
a higher-order differential collision of order i = 1. 

In this work, we concentrate on second-order differential collisions, i.e. i = 2: 

f(y) - f(y + a 2 ) + f{y + Ui + a 2 ) - f{y + a x ) = 0 (5) 

Further we assume that we have oracle access to a function f: S — > T and 
measure the complexity in the number of queries to /, i.e. query complexity, 
while ignoring all other computations, memory accesses, etc. Additionally, we 
will restrict ourselves to functions / mapping to groups (T, +) with |T| = 2” 
which are endowed with an additive operation. 

Definition 4. Let f:S—>Tbeas above. A solution (y, 01 , 02 ) € S 3 to 0 
is called trivial if the complexity of producing it is 0(1), otherwise it is called 
non-trivial. 

Lemma 1. Let f:S^>T be as above. Then, a trivial solution to 0 can be 
found if 

1. f is linear, or 

2. at least one of a\ , 02 is zero, or 

3. a\ = 02 and the group ( T , +) is of the form 

iff, +) — (Z 2 , +)" ^®(Z 2 ^,+), (6) 


for small l. 

Proof. If / is a linear function, then 0 collapses and any choice of {y,a 1 , 02 ) 
is a valid solution. Under the assumption that / is drawn uniformly at random 
from all functions /: S — > T, and T is not as in ©, then the only trivial 
solution to equation 0 is when the inputs coincide, i.e. either y = y + a 2 and 
y + a 1+02 = y + a± leading to the case where 02 = 0, or y = y + ai and 
y + ai + a 2 = y + a 2 leading to a\ = 0. 

In the third case, equation 0 boils down to 2 f(y) = 2 f(y + a). In general 
this is a classical meet-in-the-middle problem, however if (T, +) is as in 0 , this 
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equation holds with a probability 2 -2 ^ -1 ) for a random function / which leads 
to trivial solutions for small values of l. 

For all the other cases, the problem of finding a solution is an instance of the 
generalized birthday problem proposed by Wagner m and therefore the number 
of queries depends on n. ■ 

We now want to lower bound the query complexity of producing a non-trivial 
differential collision of order 2. 

Theorem 1. For a function f:S^T with |T| = 2 n , the query complexity for 
producing a non-trivial differential collision of order 2 is f2( 2"/ 3 ). 

Proof. To find an input (y,a 1 , 02 ) such that © holds, one has to try around 
2" different tuples - otherwise the required value 0, may not appear. We can 
freely choose three input parameters, i.e. y, ai, 122 , which then fix the remaining 
one. Therefore, © can be split into three parts (but not more!), and solved by 
generating three independent lists of values. Obviously, the number of queries is 
the lowest when these lists have equal size. Hence, to have a solution for ©, one 
has to choose 2”/ 3 values for each of y. < 2 - 1 , 0 . 2 , and therefore the query complexity 
of a differential collision of order 2 for / is fJ(2 n / 3 ). ■ 

Remark 1. We want to note that the actual complexity might be much higher 
in practice than this bound for the query complexity. We are not aware of any 
algorithm faster than 2"/ 2 , since dividing © into three independent parts is not 
possible (one of the terms has all the inputs, and any substitution of variables 
leads to a similar case). 


2.1 Second-Order Differential Collision for Block-Cipher-Based 
Compression Functions 

In all of the following, we consider block ciphers E : {0, l} fc X {0, 1}" — > {0, 1}" 
where n denotes the block length and k is the key length. For our purposes, we 
will also need to endow {0, 1}” with an additive group operation. It is however 
not important, in which way this is done. A natural way would be to simply use 
the XOR operation on {0, 1}" or the identification {0, 1}" Z 2 n and define the 
addition of a, b £ {0, 1}" by a + b mod 2". Alternatively, if we have an integer 
w dividing n, that is n = £ ■ w, we can use the bijection of {0, 1}” and Z? 2 ,„ and 
define the addition as the word- wise modular addition, that is, 

({0, 1}", +) := (Z 2 » , +) X • • • X (Z 2 „ , +) . (7) 



The latter definition clearly aims very specifically at the SHA-2 design. However, 
the particular choice of the group law has no influence on our attack. 

A well known construction to turn a block cipher into a compression function 
is the Davies-Meyer construction. The compression function call to produce the 
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i-tli chaining value a from the i-th message block and the previous chaining 
value Xi-i has the form: 


Xi = E(rrii, Xi-\) + ( 8 ) 

When attacking block-cipher-based hash functions, the key is not a secret param- 
eter so for the sake of readability, we will slightly restate the compression function 
computation ® where we consider an input variable y = (fe||a?) G {0, l} fc+n so 
that a call to the block cipher can be written as E(y). Then, the Davis-Meyer 
compression function looks like: 

f(y) = E(y)+T n (y), (9) 

where r„(y) represents the n least significant bits of y. 

In an analogous manner, we can also write down the compression functions for 
the Matyas-Meyer-Oseas and the Miyaguchi-Preneel mode which are all covered 
by the following proposition. 

Proposition 1. For any block- cipher-based compression function which can be 
written in the form 

f(y) = E(y)+L(y), (10) 

where L is a linear function with respect to 4** an i-th-order differential colli- 
sion for the block cipher transfers to an i-th-order collision for the compression 
function for i > 2. 

For the proof of Proposition^ we will need following property of A( ai ,..., ai )/(2/) : 


Proposition 2 (Lai If deg(J) denotes the non-linear degree of a multi- 

variate polynomial function f , then 

deg(A {a) f(y)) < deg (f(y)) - 1 . (11) 

Proof (of Proposition^- Let A^ ai ^E(y) = 0 be an i-th-order differential 
collision for E(y). Both the higher-order differential and the mode of opera- 
tion for the compression function are defined with respect to the same additive 
operation on (0, 1}". Thus, from (ITOl) we get 

A (ai _ ai) (E(y) + L(y )) = A (ai _ ai) E(y) + A (ai _ ai) L(y), 

so we see that all the terms vanish because the linear function L(y) has degree 
one and so for i > 2 we end up with an i-th-order differential collision for the 
compression function because of Proposition |21 ■ 

Hence, if we want to construct a second order collision for the compression 
function / it is sufficient to construct a second-order collision for the block cipher. 
The main idea of the attack is now to use two independent high probability 
differential characteristics - one in forward and one in backward direction - to 
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construct a second-order differential collision for the block cipher E and hence 
due to Proposition [fl for the compression function. 

Therefore, the underlying block cipher E is split into two subparts, E = 
E\oEq. Furthermore, assume we are given two differentials for the two subparts, 
where one holds in the forward direction and one in the backward direction and 
we assume that both have high probability. This part of the strategy has been 
already applied in other cryptanalytic attacks, we refer to Section 12.21 for related 
work. We also want to stress, that due to our definition above, the following 
differentials are actually related-key differentials. We have 


E o 1 (y + /3) - Eg 1 (y) = a 

(12) 

E i{y + i) ~ E i(y) = 

(13) 


where the differential in Eg 1 holds with probability po and in E\ holds with 
probability pi. Using these two differentials, we can now construct a second- 
order differential collision for the block cipher E. This can be summarized as 
follows (see also Figure HJ. 

1 . Choose a random value for X and compute X* = X + (3, Y = X + 7, and 
Y* = X* + 7. 

2. Compute backward from X, X*,Y, Y* using Eg 1 to obtain P, P* , Q. Q*. 

3. Compute forward from X, X*, Y, Y* using Ei to obtain C. C*,D, D*. 

4. Check if P* - P = Q* - Q and D - C = D* - C* is fulfilled. 

Due to (1T21) and (THfll . 

P* -P = Q* -Q= a, resp. D - C = D* - C* = 8, (14) 

will hold with probability at least pg in the backward direction, resp. p\ in 
the forward direction. Hence, assuming that the differentials are independent 
the attack succeeds with a probability of pg ■ p\. It has to be noted that this 
independence assumption is quite strong, cf. m- However, if this assumption 
holds, the expected number of solutions to (IT3I) is 1, if we repeat the attack 
about 1 /(pq ' Pi) times. As mentioned before, in our case, there is no secret key 
involved, so message modification techniques (cf. j3H|) can be used to improve 
this complexity. 

The crucial point now is that such a solution constitutes a second-order dif- 
ferential collision for the block cipher E. We can restate (IPHl as 

Q*-Q-P*+P = 0 (15) 

E(Q*) - E(P*) - E(Q) + E(P) = 0 (16) 

If we set a := ai and the difference Q — P := a -2 we can rewrite (I I till as 

E(P + ai + o 2 ) - E(P + 0l ) - E(P + 02) + E(P) = 0, (17) 

that is, we have found a second-order differential collision for the block cipher 
E. Because of Proposition Q the same statement is true for the compression 
function. 
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Fig. 1 . Schematic view of the attack 


2.2 Related Work 

The attack presented in this paper stands in relation to previous results in the 
field of block cipher and hash function cryptanalysis. Figure Q suggests that it 
stands between the boomerang attack and the inside-out attack which were both 
introduced by Wagner in 125! and also the rectangle attack by Biham et al. 0 . 
For the related-key setting, we refer to 0 (among others). We also want to refer 
to the amplified boomerang attack EEj.A previous application of the boomerang 
attack to block-cipher-based hash functions is due to Joux and Peyrin |T5j, who 
used the boomerang attack as a neutral bits tool. Another similar attack strat- 
egy for hash functions is the rebound attack introduced in jZZj. Furthermore, the 
second-order differential related-key collisions for the block cipher used in Sec- 
tion 12.11 are called differential q-multi- collisions introduced by Biryukov et al. 
in (5| with q = 2. Recently, an attack framework similar to this was proposed 
in {61221 and applied to HAVAL in jTH] . 

3 Application to SHA-256 

In the light of the breakthrough results of Wang et al. on the hash functions 
MD5 and SHA-1, the analysis of SHA-256 is of great interest. Moreover, SHA-2 
is a reference point in terms of speed but also security for the SHA-3 candidates. 

In the last few years several cryptanalytic results have been published for 
SHA-256. The security of SHA-256 against preimage attacks was first studied 
by Isobe and Shibutani in P~l . They presented a preimage attack on 24 steps. 
This was improved by Aoki et al. to 43 steps in Q and later extended to 45 
steps by Khovratovich et al. in M- All attacks are only slightly faster than the 
generic attack, which has a complexity of about 2 256 . In [2H1 . Mendel et al. stud- 
ied the security of SHA-256 with respect to collision attacks. They presented 
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the collision attack on SHA-256 reduced to 18 steps. After that these results 
have been improved by several researchers. In particular, Nikolic and Biryukov 
improved in eh the collision techniques, leading to a collision attack for 23 steps 
of SHA-256. The best collision attacks so far are extensions of EH- Indesteege 
et al. IS! and Sanadhya and Sarkar|S|, both presented collision attacks for 24 
steps. We want to note that in contrast to the preimage attacks all these attacks 
are of practical complexity. Furthermore, Indesteege et al. showed non-random 
properties for SHA-2 for up to 31 steps. At the rump session of Eurocrypt 2008, 
Yu and Wang announced that they had shown non-randomness for SHA-256 
reduced to 39 steps . In the same presentation they also provided a practical 
example for 33 steps. However, no details have been published to date. We are 
not aware of any attack on SHA-256 with practical complexity for more than 
33 steps. In this section, we show how to construct a second-order differential 
collision for SHA-256 reduced to 47 (out of 64) steps, following the attack strat- 
egy described in the previous section. Since the complexity of the attack is quite 
low, only 2 46 compression function evaluations, we implemented the attack. An 
example of a second-order differential collision for SHA-256 reduced to 47 steps 
is shown in Table El 


3.1 Description of SHA-256 

SHA-256 is an iterated hash function that processes 512-bit input message blocks 
and produces a 256-bit hash value. In the following, we briefly describe the 
hash function. It basically consists of two parts: the message expansion and the 
state update transformation. A detailed description of the hash function is given 

in EOj. 


Message Expansion. The message expansion of SHA-256 splits the 512-bit 
message block into 16 words Mj, i = 0, . . . , 15, and expands them into 64 ex- 
panded message words Wi as follows: 


Wi -- 


f Mi 0 < i < 16 

I cri(Wi_ 2 ) + Wi- 7 + <7o(Wj_i 5 ) + Wi- 16 16 < i < 64 
The functions <tq(X) and (T\ (X ) are given by 


&o(X) = (X 2 
ax(X) = (X ^ 


> 7) © (X 3 

> 17) © (x : 


> 18) 0 (X » 3) 
g> 19) 0 (X > 10) 


(18) 


(19) 


State Update Transformation. The state update transformation starts from 
a (fixed) initial value IV of eight 32-bit words and updates them in 64 steps. In 
each step one 32-bit word Wi is used to update the state variables A % ,B % , ... , H, 
as follows: 

Ti = Hi + Ei(Ei) + h(Ei, Fi , Gi) + Ki + Wi , 

T 2 = E 0 (Ai) + fo(A i ,Bi,C i ) , 

Aj_|_ i = T\ + T 2 , Bi + i = Ai , Ci + i = Bi , -EV|_i = C* , 

E i+1 =Di + Tx , F i+ 1 = E t , G i+ 1 = Fi , H i+1 = Gi . 


(20) 


278 A. Biryukov et al. 


For the definition of the step constants if* we refer to [TOT] , The bitwise Boolean 
functions /i and /o used in each step are defined as follows: 


fo(X, Y,Z) = XAY®YAZ®XAZ 
/i (X, Y,Z) = XAY(B ~>x a z 


(21) 


The linear functions Eq and E\ are defined as follows: 



(22) 


After the last step of the state update transformation, the initial values are 
added to the output values of the last step (Davies-Meyer construction). The 
result is the final hash value or the initial value for the next message block. 

3.2 Differential Characteristics 

Finding the differential characteristics for both backward and forward direction 
is the most important and difficult part of the attack. Not only the differential 
characteristics need to be independent, but also they need to have high proba- 
bility in order to result in a low attack complexity. As noted before, in general, 
the assumption on independent characteristics is quite strong, cf. m- 

We apply a particular approach to construct differential characteristics that 
are used to construct second-order differential collisions for reduced SHA-256. We 
rim a full search for sub-optimal differential characteristics, i.e. characteristics 
with the following properties: 

— use a linearized approximation of the attacked hash function, i.e. approxi- 
mate all modular additions by the xor operation; 

— approximate the Boolean functions fo and /i by the 0-function, except in the 
bits j, where either AA[j] = AB\j ] = ACi[j] = 1 or AF[j] = AG[j] = 1 - 
in these bits approximate with 1. This requirement comes from the fact that 
if all three inputs to fo have a difference, then the output has a difference 
(with probability 1); a similar property holds for /i. Note that it is possible 
to approximate some bits with either 0 or 1, however, this introduces a high 
branching leading to an infeasible search; 

— the characteristic has a single bit difference in the message word at some step 
i (i < 16), followed by 15 message words without difference. When using such 
characteristic, 16 steps (the ones that follow i) can be passed with probability 
1 - arguably, any characteristic that does not follow this strategy will have 
a low probability due to the fast diffusion of the difference coming from the 
message words. This type of characteristics was used to construct various 
related-key rectangle distinguishers for SHACAL-2 [Till 912 312413 Hj . 

Once we have the set of sub-optimal characteristics, we try to combine them 
for the second-order differential collision scenario, i. e. try to check if the switch 
in the middle is possible. This is a very important requirement, as some of the 
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characteristics cannot be combined, i.e. their combination leads to contradic- 
tions. Some of the conditions for the switch can be checked only by examining 
the differences in the characteristics, while other are checked by confirming ex- 
perimentally the absence of contradictions in the switch. 


Table 1 . Differential characteristic for steps 1-22 using signed-bit-differences 



In Table Q and Table |2| the differential characteristics for both forward and 
backward direction are shown. Furthermore, the probabilities for each step of 
the differential characteristics are given. Note that for start we assume that the 
differential characteristic in the message expansion will hold with probability 1. 
To describe the differential characteristic we use signed-bit differences introduced 
by Wang et al. in the cryptanalysis of MD5 jU3j . The advantage of using signed- 
bit differences is that there exists a unique mapping to both xor and modular 
differences. Another advantage is that the feedforward in SHA-256 is modular, 
hence no additional probability will be introduced for this operation. 

3.3 Complexity of the Attack 

Using the differential characteristics given in the previous section, we can con- 
struct a second-order differential collision for SHA-256 reduced to 47 out of 64 
steps. The differential characteristic used in backward direction holds with prob- 
ability 2 -28 and the differential characteristic used in forward direction holds 
with probability 2 -72 . Hence, assuming that the two differential characteristics 
are independent and using the most naive method, i.e. random trials, to fulfill 
all the conditions imposed by the differential characteristics would result in an 
attack complexity of 2 2 '( 72 + 28 ) = 2 200 . This is too high for a practical attack 
on reduced SHA-256. However, the complexity can be significantly reduced by 
using message modification techniques. Moreover, some conditions at the end 
of the differential characteristics can be ignored which also improves the attack 
complexity. 
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Table 2. Differential characteristic for steps 23-47 using signed-bit-differences. Note 
that conditions imposed by the characteristic in steps 23-30 are fulfilled in a determin- 
istic way using message modification techniques. 



Ignoring conditions at the end. As was already observed in the cryptanalysis 
of SHA-1, conditions resulting from the modular addition in the last steps of the 
differential characteristic can be ignored jhldbl . The reason is that we do not care 
about carries in the last steps, since the modular difference will be the same. In 
the attack on SHA-256, we can ignore 6 conditions in step 46 in the characteristic 
used in forward direction and 3 conditions in step 1 in the characteristic used in 
backward direction. This improves the complexity of the attack by a factor of 
22 (3+6) _ 2I8 resulting in a complexity of 2 182 . 


Impact of additional less probable characteristics. Even if all the message 
conditions for the two characteristics are already in place, there exist a number 
of differential characteristics which hold with the same or a slightly lower prob- 
ability. Hence, it is advantageous to consider differentials. A similar effect has 
been exploited by Kelsey et al. in the amplified boomerang attack on block ci- 
phers m- For hash functions, this has been systematically studied for SHA-1 
in m- We achieve a significant speedup in the attack on SHA-256 by allowing 
these additional characteristics. For instance by changing the signs of the differ- 
ences in chaining variable Ho, we get 2 3 additional differential characteristics for 
the backward direction which all hold with the same probability as the original 
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differential characteristic given in Table QJ Similarly, we also get 2 3 additional 
differential characteristic by changing the signs of the differences in chaining 
variable H 3 . This already improves the complexity of the attack by a factor of 
2 6 . Furthermore, if we do not block the input differences of fi and /o in step 1, 
we get 2 4 additional characteristics which again holds with the same probability. 
Thus, by allowing additional differential characteristics the complexity of the 
attack can be improved by a factor of 2 10 , resulting in an attack complexity 
of 2 172 . We want to stress, that in practice there exist many more additional 
differential characteristics that can be used and hence the attack complexity is 
much lower in practice. 

Message modification. As already indicated in Section|2|message modification 
techniques can be used to significantly improve the complexity of the attack. 
The notion of message modification has been introduced by Wang et al. in the 
cryptanalysis of MD5 and other hash functions JJJj . The main idea is to choose 
the message words and internal chaining variables in an attack on the hash 
function to fulfill the conditions imposed by the differential characteristic in a 
deterministic way. 

Luckily, by using message modification techniques, we can fulfill all conditions 
imposed by the differential characteristic in steps 22-30 by choosing the expanded 
message words W 22 ,■■■ , W30 accordingly. This improves the complexity of the 
attack by a factor of 2 2 ' 66 = 2 132 resulting in an attack complexity of 2 40 . 

Additional costs coming from the message expansion. So far we assumed 
that the differential characteristic in the message expansion of SHA-256 will hold 
with probability 1. However, since the message expansion of SHA-256 is not lin- 
ear, this is not the case in practice. Indeed most of the conditions that have 
to be fulfilled to guaranty that the characteristic holds in the message expan- 
sion can be fulfilled by choosing the expanded message words and differences 
in steps 21-30 accordingly. Only the conditions for step 5 and step 6 imposed 
by the differential characteristic used in backward direction cannot be fulfilled 
deterministically (see Table GJ. In step 6 we need that: 

W 6 * -W 6 = 3 (23) 

Furthermore, to ensure that there will be no difference in W5 we need that: 

W 2 * 1 - a 0 (W 6 *) - (W 21 - a 0 (W 6 )) = 0 (24) 

Since (OTT1) will hold with a probability of 2 _1 and (I23ll will hold with probability 
2 -2 , this adds an additional factor of 2 2 ' 3 = 2 6 to the attack complexity. Hence, 
the final complexity of the attack is 2 46 . By Theorem Q the complexity in the 
generic case is around 2 85 . 

Implementation. Even though the complexity of the attack was estimated to 
be about 2 46 , we expected that the complexity will be lower in practice due to 
the impact of additional differential characteristics. This was confirmed by our 
implementation. In Table [3 an example of a second-order differential collision 
for 47 steps of SHA-256 is shown. 
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Table 3. Example of a second-order differential collision f(y + a\ + < 22 ) — f(y + 0 , 1 ) — 
f(y + 0 , 2 ) + f{y) = 0 for 47 steps of the SHA-256 compression function 


189456784 4ef9daf6 0ab509f5 3fdf6c93 fe7afc67 b03ad81a fd306df9 ldl4cadd 
y daea3041 70f45fd7 4a03bf20 cl3c961c 6al2c686 f c7be50c 7b060f c2 0eele276 
630c3c7e 734246a4 88401eb0 9aac88cl 4b6bca45 b777cle6 5537cdbl 9b5bc93b 
loooooooo 00000000 00000000 00000000 00000000 00000000 00000004 00000000 
01 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
00000000 fffffff c 00000000 fffffff c 10800200 00000000 ff800000 803ef414 
|2335e851 20f48326 69151911 f5cb76c2 b9d69e31 32685b9c 90cceff7 081ebbf7 
a 2 967c8864 a43138dl 7e9a3eec c39cf7d3 5914s008 8d0d3b73 e077c63f d29dblb0 
742b8c01 92248811 a!19f 182 dd829be5 e3e!802e 21130e9f Idacd7d3 8acf life 


4 Applications to Related Primitives 

The results presented in the previous section have a direct impact on the anal- 
ysis of primitives similar to SHA-256. First of all, due to the similar design of 
SHA-256 and SHA-512 the attack extends in straight forward way to SHA-512. 
Second, our search for sub-optimal characteristics in SHA-256, can be used to 
find suitable characteristics for a related-key rectangle attack on the SHACAL-2 
block cipher D21 which is based on SHA-256. The block cipher proposed by 
Handschuh and Naccache in 2000 and was evaluated by NESSIE. 


4.1 Application to SHA-512 

The structure of SHA-512 is very similar to SHA-256 - only the size of the 
words is increased from 32 to 64 bits and the linear functions Sq, Si, <to, <J\ are 
redefined. Also the number of steps is increased from 64 to 80. Since the design 
of SHA-512 is very similar to SHA-256 the attack presented for SHA-256 extends 
in a straight forward way to SHA-512. Furthermore, due to the larger hash size 
of SHA-512 compared to SHA-256 also the complexity of the generic attack 
increases, i.e. it becomes around 2 170 . Hence, the attack can be extended to 
more steps than it was the case for SHA-256 by adding steps at the beginning. 
Also, due to the larger word size and hence worse diffusion within the words 
adding steps in the middle becomes easier. Thus, we expect that several steps 
can be added in the middle as well. This is work in progress. 

4.2 Application to SHACAL-2 

In the past several related-key rectangle attacks have been published for the 
SHACAL-2 block cipher [I I II D123I24138I . It is interesting to note that all of 
the published rectangles on SHACAL-2 contain a flaw in the analysis. This 
flaw is in the switch of the rectangle, since the used characteristics are not 
independent and the conditions cannot be satisfied simultaneously in both of the 
characteristics. In the rectangles in [2413811 ij . in the the switch in the middle 
the following differences in bit 13 are defined: at the output of the backward 
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characteristic AE [13] = 1 , AF [13] = AG[13] = 0 ; at the input of the forward 
characteristic A#[13] = 0, AF[13] = 1,AG[13] = 0. At the first step of the 
forward characteristics it is assumed that the output difference of /i is zero. 
However, this is not possible for both of the characteristics. Since A#[13] = 1 , 
the value of #[13] has to be 0. Then, in the second characteristic (on the other 
side of the rectangle), since the output difference A#[13] is 1 , then this #[13] 
will be 1, and therefore the output of fi in bit 13 will produce difference. A 
similar contradiction can be seen in El First, since there is a difference in bit 
13 in #25 coming from the upper trail, one needs the differences in #25 and G 25 
in bit 13 to be the same (have the same sign) in the lower trail (see Table 3), 
otherwise there will be a contradiction. In the next step we have G 26 = #25 and 
#26 = G 25 and hence the difference in bit 13 of G 26 and #26 have the same sign. 
This leads now to a contradiction, since in the characteristic it is required that 
these two differences cancel out. However, since they have the same sign this is 
not possible and we get a contradiction. In m, in the lower trail (Table 6) there 
are conditions on # 2 4 in bits (2,14,15,24,25) to guarantee that the differences in 
G 24 behave correctly, in particular the bit 24 of #24 has to be 1. But from the 
upper trail we get difference in W 23 in bits 13,24, and 28, and hence #24 will 
have difference in bits 13,24,28. Therefore, #24 cannot take the value 1 (in these 
three bits) in both of the bottom characteristics. This can be fixed by allowing 
a carry from bit 13 to 24 to cancel the difference in bit 24, but then there will 
always be a difference in bit 14 and 15 which again leads to a contradiction. 

Each of the published rectangle attack works for the whole key space. Further, 
we relax this requirement, i. e. we examine the security of the cipher in a weak-key 
class. These types of attacks are inline with the recent attacks on AES-256 0. 
We analyze a secret-key primitive, hence the message modification techniques 
presented in the previous section are not applicable and therefore the complexity 
of the attack is fully determined by the probability of the characteristics used 
in the rectangle. The probability of the characteristic in the key schedule not 
necessarily has to be 1 (it is a weak-key class), however this adds to the total 
complexity of the attack. 

Our search for sub-optimal characteristics in SHA-256, can be used as well 
to find characteristics suitable for a related-key rectangle attack on SHACAL-2. 
Note that the search avoids using the above mentioned characteristics (with 
flaws), since it checks experimentally, that all the conditions on the switch can 
be satisfied. 

We found a 48-step related-key rectangle distinguisher with two different char- 
acteristics, the first on 24 steps with 2 -52 , and the second on 24 steps with 2 -52 
(see Table 0). The probability of the key schedule (message expansion) is 2 -8 - 5 . 
Therefore, the total probability of the rectangle is 2 -216,5 . Using some available 
techniques, e.g. the one presented in El, we can add one step at the beginning, 
and two steps at the end of the rectangle, to obtain a key recovery attack on 51 
steps of SHACAL-2. 
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Table 4. Differential characteristic using xor-differences for the rectangle distinguisher 
on 48 steps of SHACAL-2 




5 Conclusions 

In this work, we have shown an application of higher-order differential crypt- 
analysis on block-cipher-based hash functions. In our attack, we adapted several 
techniques known from block cipher cryptanalysis to hash functions. Applying 
these techniques to SHA-256 led to an attack for 47 (out of 64) steps of the 
compression function with practical complexity. The best known attack so far 
with practical complexity was for 33 steps. Since the structure of SHA-512 and 
SHA-256 is very similar, the attack transfers to SHA-512 in a straight forward 
way. Furthermore, due to the larger word size and output size, attacks for more 
steps may be expected. We also want to note that the attacks cannot be extended 
to the hash function to construct collisions or (second) preimages. 

However, based on our results, a few conclusions can be deduced. First, 
SHA-256 has a low security margin against practical distinguishers. Its compres- 
sion function seems to be weaker than those of the third round SHA-3 candidates, 
as none of them has practical distinguishers covering such a high percentage of 
the total number of steps. 

Second, when applying boomerang/rectangle attacks to word oriented prim- 
itives, the switch in the middle has to be checked carefully - the flaws we have 
presented as well as our experiments indicate that only a very small percentage 
of characteristics (even with sparse input-output differences) can be combined. 
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Finally, the basic strategy described in this paper, i.e. linearize the com- 
pression function, search for sub-optimal characteristics and combine them in a 
boomerang/rectangle attack, can be used as a preliminary security analysis for 
hash functions in general. 
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Abstract. In this paper, we analyze the collision resistance of SHA-2 
and provide the first results since the beginning of the NIST SHA-3 com- 
petition. We extend the previously best known semi-free-start collisions 
on SHA-256 from 24 to 32 (out of 64) steps and show a collision at- 
tack for 27 steps. All our attacks are practical and verified by colliding 
message pairs. We present the first automated tool for finding complex 
differential characteristics in SHA-2 and show that the techniques on 
SHA-1 cannot directly be applied to SHA-2. Due to the more complex 
structure of SHA-2 several new problems arise. Most importantly, a large 
amount of contradicting conditions occur which render most differential 
characteristics impossible. We show how to overcome these difficulties 
by including the search for conforming message pairs in the search for 
differential characteristics. 

Keywords: hash functions, SHA-2, collision attack, differential char- 
acteristic, generalized conditions. 

1 Introduction 

Since the breakthrough results of Wang et al. > hash functions have been 

the target in many cryptanalytic attacks. These attack have especially shown 
that several well-known and commonly used algorithms such as MD5 and SHA-1 
can no longer be considered to be secure. In fact, practical collisions have been 
shown for MD5 and collisions for SHA-1 can be constructed with a complexity of 
about 2 63 PH]. For this reason, NIST has proposed the transition from SHA-1 to 
the SHA-2 family as a first solution. As a consequence, more and more companies 
and organizations are migrating to SHA-2. Hence, a detailed analysis of this hash 
function family is needed to get a good view on its security. 

Although the design principles of SHA-2 are very similar to SHA-1, it is still 
unknown whether or how the attacks on MD5 and SHA-1 can be extended to 
SHA-2. Since 2008, no collision attacks have been published on SHA-2. One 
reason might be that the SHA-3 competition jOj initiated by NIST has attracted 
more attention by the cryptographic community. However, a more likely reason 
is the increased difficulty of extending previous collision attacks to more steps of 
SHA-2. In this work, we show that apart from a good attack strategy, advanced 
automated tools are essential to construct differential characteristics and to find 
confirming message pairs. 

D.H. Lee and X. Wang (Eds.): ASIACRYPT 2011, LNCS 7073, pp. 288- |307| 2011. 
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Related Work. In the past, several attempts have been made to apply the 
techniques known from the analysis of SHA-1 to SHA-2. The first known crypt- 
analysis of the SHA-2 family was published by Gilbert and Handschuh [Hj . They 
have shown 9-step local collisions which hold with a probability of 2 -66 . Hawkes 
et al. 0 have improved these results to get local collisions with a probability of 
2 -39 by considering modular differences. 

In jBj , Mendel et al. have analyzed how collision attacks can be applied to step 
reduced SHA-256. They have shown that the properties of the message expansion 
of SHA-256 prevent an efficient extension of the techniques of Chabaud and 
Joux PQ and Wang et al. P, Nevertheless, they presented a collision for 18 
steps of SHA-256. In jT2| . Sanadhya and Sarkar have revisited the problem of 
obtaining a local collision for the SHA-2 family, and in H3 they have shown 
how to use one of these local collisions to construct another 18-step collision for 
SHA-256. 

Finally, Nikolic and Biryukov m found a 9-step differential using modular 
differences which can be used to construct a practical collision for 21 steps and 
a semi-free-start collision for 23 steps of SHA-256. This was later extended to 
22, 23 and 24 steps by Sanadhya and Sarkar in a series of papers [TT11 4111 Hj . The 
best known collision attack on SHA-256 so far was for 24 steps and has been 
found by Sanadhya and Sarkar DU, and Indesteege et al. jjj. 

All these results use rather simple differential characteristics which are con- 
structed mostly manually or using basic cryptanalytic tools. However, the most 
efficient collision attacks on SHA-1 use more complex characteristics, especially 
in the first few steps of the attack. Constructing such complex characteristics is 
in general a difficult task. First, Wang et al. P23 have constructed such a char- 
acteristic for SHA-1 manually. Later, De Canniere and Rechberger Pj proposed 
a method to efficiently find such complex characteristics for SHA-1 in an auto- 
mated way. Furthermore, also the best practical collision attack on SHA-1 (with 
the highest number of steps) is based on this approach . 

Our Contribution. Currently, all collision attacks on SHA-2 are of practical 
complexity and based on the same basic idea: extending a local collision over 9 
steps to more steps. As already mentioned in [Zj , this kind of attack is unlikely to 
be extended beyond 24 steps. In this work, we investigate new ideas to progress 
in the cryptanalysis of SHA-2. First, we extend the idea of finding local collisions 
to more than 9 steps by exploiting the nonlinearity of both the state update and 
message expansion. 

To find such local collisions an automated tool to search for complex dif- 
ferential characteristics is needed. We start with the approach of De Canniere 
and Rechberger |2j on SHA-1. Unfortunately, their techniques cannot directly 
be applied to SHA-2. We have observed several problems in finding valid differ- 
ential characteristics for SHA-2. In this work, we have identified these problems 
and show how to solve them efficiently. Most importantly, a very high number 
of contradicting conditions occurs which render most differential characteristics 
impossible. 
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To summarize, we present the first automatic tool to construct complex differ- 
ential characteristics for reduced SHA-2. Applying our tool to SHA-256 results 
in practical examples of semi-free-start collisions for 32 and collisions for 27 out 
of 64 steps of SHA-256. The best semi-free-start collision and collision attack so 
far was on 24 steps of SHA-256. 

Outline. The paper is structured as follows. In Section 0 we give a short de- 
scription of SHA-256. In Section 0 we provide an overview of the general attack 
strategy and briefly mention which problems arise in the search for differential 
characteristics in SHA-2. In Section 0 we show how to efficiently propagate 
differences and conditions in SHA-2. Furthermore, we discuss why most differ- 
ential characteristics are invalid and describe how to detect inconsistencies. In 
Section 0 we present our automated tool to construct complex differential char- 
acteristics and to find conforming message pairs in SHA-2. Finally, we conclude 
on our results in Section 0 

2 Description of SHA-256 

SHA-256 is one of four hash functions defined in the Federal Information Pro- 
cessing Standard (FIPS-180-3) HO] - All four hash functions were designed by the 
National Security Agency (NSA) and issued by NIST in 2002. SHA-256 is an 
iterated cryptographic hash function with a hash output size of 256 bits, a mes- 
sage block size of 512 bits and using a word size of 32 bits. In the compression 
function of SHA-2, a state of eight chaining variables A,. . . ,H is updated using 
16 message words Mo,. . . ,Mis. 



Fig. 1. The SHA-2 step update function 


The compression function of SHA-256 consists of 64 identical step update func- 
tions which are illustrated in Fig0 and given as follows: 

T 0 = £o(Aj_i) + MAi.Bi-ta-i) 

Tl = Ex {Ei-t) + Fi-i, Gi-i) + Hi-i + -fQ + W* 

A i =T 0 + T 1 , Bi = Ai-i , C'i = B, : _i , D i = C i - 1 
Ei = A-i + Ti Ft = Ei _ 1( G i = F i _ 1 , Hi = Gi-i 


(1) 
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The Boolean functions /o (MAJ) and fi (IF) are given by 
fo(x, y, z) = {x A y) © {x A z) © {y A z ) , 
h(x, y, z) = {x A y) ® (~® A z) . 

The two GF(2)-linear functions Eq and Ex are defined as follows: 

S 0 (x) = x^>2®x^>13®a:^>22, 

Ei{x) = x 6 ® a; 11 ® a; 25 . 


In the *-th step of the update function, a fixed constant K% and the *-th word W» 
of the expanded message are added to the state. The message expansion takes 
the 16 message words M* as input and outputs 64 expanded message words Wj 
as follows: 


Wi = 


Mi 

(Wi_ a ) + 7 + vo(Wi- 15 ) + W t -i 9 


for 0 < i < 16 
for 16 < i < 64 


where the functions ao(x) and 01 ( 2 ;) are defined as follows: 


ao(x) = x 7®a;^>18®x»3, 
<7i(a;) = x 17 ® x 19 ® x 10 . 


3 Basic Attack Strategy 

In this section, we give a brief overview of our attack strategy. We first describe 
how we generalize the approach of Nikolic and Biryukov CH to find semi-free- 
start collisions on a higher number of steps. Due to this extension, differen- 
tial characteristics cannot be constructed manually or semi-automatic anymore. 
Hence, we provide a fully automated tool to construct complex differential char- 
acteristics in SHA-2. Furthermore, we discuss why it is extremely difficult to find 
valid differential characteristics in SHA-2. In fact, we were not able to find a valid 
differential characteristic without including the search for a confirming message 
pair in the process. Therefore, the approach of first finding a valid differential 
characteristic and then, independently search for a conforming message pair does 
not apply very well to SHA-2. Hence, our attack strategy can be summarized as 
follows: 

1. Determine a starting point for the search which results in an attack on a 
large number of steps. The resulting start characteristic should span over 
few steps and only some message words should contain differences. 

2. Use an automated search tool to find a differential characteristic for the 
unrestricted intermediate steps including the message expansion. 

3. Continue the search to find a conforming message pair. If no message pair 
can be found, adjust the differential characteristic accordingly. 

Note that after step 2 it is not ensured that the differential characteristic is valid. 
If we cannot find a conforming message pair after a certain amount of time we 
go back to step 2 to adjust the differential characteristic. 
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3.1 Determining a Starting Point 

By exploiting the nonlinearity of the step update function, Nikolic and Biryukov 
m found a 9-step differential characteristic for which it is not necessary to ap- 
ply corrections (differences in the message words) in each step of the differential 
characteristic. The fact that not all (only 5 out of 9) message words contain 
differences helped to overcome several steps of the message expansion resulting 
in a collision and semi-free-start collision attack for 21 and 23 steps, respec- 
tively. Later this approach was extended to a collision attack on 24 steps pTITSj . 
However, as pointed out in [ZJ it is unlikely that this approach can be extended 
beyond 24 steps. 

In our attack, we are using differential characteristics which span over t > 
9 steps, which allows us to attack more steps of SHA-256. As in the attack 
of Nikolic and Biryukov we are interested in differential characteristics with 
differences in only a few message words. Then, large parts of the expanded 
message have no difference which in turn, results in an attack on more than 
24 steps. Already by using a differential characteristic spanning over t = 10 
steps (with differences in only 3 message words) we can construct a semi-free- 
start collision for 27 steps of SHA-256. This can be extended to 32 steps using 
a differential characteristic spanning over t = 16 steps with differences in 8 
message words. 

To construct these starting points, we first fix the value of t and consider only 
differential characteristics which may result in collisions on more than 24 steps. 
Then, we identify those message words which need to have differences such that 
the differential characteristic holds for the whole message expansion. Table El 
in Appendix El shows the used starting point for the attack on 32 steps. Note 
that we have further optimized the message difference slightly to keep it sparse, 
which reduces the search space for the automated tool. 

3.2 Searching for Valid Differential Characteristics and Conforming 
Message Pairs in SHA-2 

Once we have determined a good starting point we continue by constructing a 
valid differential characteristic for both the state update transformation and the 
message expansion. We have implemented an automated search tool for SHA-2 
which is similar to the one proposed in |2| to construct complex characteristics 
for SHA-1. However, the increased complexity of SHA-2 compared to SHA-1 
complicates a direct application of their approach. In the following, we briefly 
outline which problems occurred and how we have resolved them. 

First of all, the larger state size, the combined update of two state variables, 
and the higher diffusion due to the Si functions increases the complexity signif- 
icantly. To limit these issues, we use an alternative description of SHA-2 where 
only two state variables are updated separately (see Section 14.11) . Furthermore, 
we split up one SHA-2 step (including the nonlinear message expansion) into 9 
less complex sub steps. This way, the propagation of differences can be imple- 
mented much more efficiently while losing only a small amount of information 
(see Section 14.31) . 
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However, the main problem in SHA-2 is that it is difficult to determine 
whether a differential characteristic is valid, i.e. whether a conforming mes- 
sage pair exists. For example, a lot more conditions on two bits of the form 
Aij = occur in SHA-2, compared to SHA-1 for example. Furthermore, 

the orthogonal applications of the A and /,; functions results in cyclic conditions 
which contradict with a high probability (see Section 14. 4B . Additionally, more 
complex conditions on more bits occur. One reason for these additional con- 
ditions is that two state variables ( Ai,Ei ) are updated using a single message 
word (Wj). Unfortunately, it is not possible to determine all these conditions 
in general. However, we have implemented different tests to efficiently check for 
many contradictions (for more details, see Section 14. 51) . 

Despite all these tests, we were not able to find a valid differential character- 
istic. At the end, even brute-forcing a single critical message word (a message 
word where most bits are already set) did not lead to a solution. Therefore, we 
have combined the search for differential characteristics with the search for a 
conforming message pair (see Section EJ). During the message search, we first 
determine critical bits and backtrack if needed. This way complex hidden con- 
ditions are resolved at an earlier stage in the search. Furthermore, we correct 
impossible characteristics once they are detected. 


4 Difference and Condition Propagation in SHA-2 

We use generalized conditions to nonlinearly propagate differences and condi- 
tions in both the state update and message expansion of SHA-2. Generalized 
conditions are propagated in a bit sliced manner. Note that in the case of the 
SHA-2, one bit of A and E is updated using 15 input bits. Hence, to simplify 
the bit sliced step update, we use an alternative description of SHA-2. 


4.1 Alternative Description of SHA-2 

In the state update transformation of SHA-2, only two state variables are up- 
dated in each step, namely A* and E,. Therefore, we can redefine the state 
update such that only these two variables are involved. In this case, we get the 
following mapping between the original and new state variables: 


Ai 

Bt 

Ci 

A 

Ei 

Fi 

Gi 

Hi 

Ai 

Ai-! 

-b -2 

Ai - 3 

Ei 

Ei-! 

Ei- 2 

Ei - 3 


Note that A, is updated using an intermediate result of the step update of A 
(see Equation QJ . Since this complicates the efficient bit sliced representation 
of the SHA-2 step update transformation we propose the following alternative 
description: 


Ei = Ei- 4 , + A(-A-i) + /i(A_!, A_ 2 , A_ 3 ) + A_ 4 + K t + W t 
Ai = -A,_4 + Eo(Ai-i) + yb(A i _ 1 ,A i _ 2 ,A i _ 3 ) + A 


(2) 
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In this case we get two SHA-1 like state update transformations, one for the left 
(Ai) and one for the right (Ef) side of the SHA-2 state update transformation. 
Note that in this description, the state variables A_ 4 , . . . , A_ 1 and E- 4 , . . . , E_ 1 
represent the chaining input or initial value of the compression function. The 
alternative description is also illustrated in Fig|5| 



4.2 Generalized Conditions 

Inspired by signed-bit differences m, De Canniere and Rechberger introduced 
generalized conditions for differences, where all 16 possible conditions on a pair 
of bits are taken into account [ 2 ] . Table Q lists all these possible conditions and 
introduces notations for the various cases. 

Table 1. Notation for possible generalized conditions on a pair of bits |2| 


(XuXA) 

(0,0) (1,0) (0,1) (1,1) 


(0,0) (1,0) (0,1) (1,1) 

? 


/ 


/ 

3 


/ 



- 

s 



/ 

5 

•/ 




X 


/ 



7 

s 

/ 

•/ 


0 





A 


/ 


/ 

u 


/ 



B 

/ 

/ 


/ 

n 





C 




/ 

1 




/ 

D 




/ 

# 





E 


/ 


/ 


Definition 1 (Generalized Conditions for Differences pj|). LetX £ (0, 1}" 
and X* £ {0, 1}", then the notation 

VAT = [c n _ 1 ,...,c 0 ], 

where Ci denotes one of the conditions of Tabled for the i-th bit, defines a subset 
of pairs (X, X*) £ {0, 1}" X {0, 1}" that conforms to the specified conditions. 
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For example, all pairs of 8-bit words X and X* that satisfy 
{(W, W*) G {0, l} 8 x {0, l} 8 \x 7 -x;=0 ,Xi = X* for 1 < i < 5,X 0 ^ X*}, 
can be conveniently written in the form 

VX= [7? x], 

4.3 Efficiently Implementing the Propagation of Generalized 
Conditions 

We propagate generalized conditions similar as in the attack on SHA-1. How- 
ever, the complexity of propagating generalized conditions increases exponen- 
tially with the number of input bits and additions. While there are only 6 input 
bits in the case of SHA-1 (excluding the carry), we have 9 input bits in the 
update of Ei and 8 input bits in the update of each of A, and W, in SHA-2. 

To reduce the computational complexity of the propagation in SHA-2, we have 
further split the update of W), Ei and A, into 3 sub steps. In more detail, we 
independently compute each output bit of the cr,, Ei and /, functions and then, 
compute the modular additions. This way, the number of input bits reduces to 
3 for cr,, E, and /,■ and we get at most 5 input bits for the modular additions. 
This split of functions reduces the computation complexity by a factor of about 
100. 

Furthermore, for the sub steps without modular addition we have precom- 
puted the propagation of all generalized input conditions. For the modular addi- 
tions we use a hash map to store already computed bit sliced results. In this case, 
the bit slice update of each sub step reduces to simple table or hash map lookups. 
Our experiments have shown a speedup of another factor 100 by caching already 
computed results. The drawback of this method is that we lose the relation be- 
tween the sub steps compared to a combined propagation. Furthermore, due to 
memory restrictions we are not able to precompute or keep all possibilities for 
the modular additions. 


4.4 Two-Bit Conditions 

Apart from generalized conditions, additional conditions on more than a single 
bit are present in a differential characteristic. Especially, conditions on two bits 
are needed such that a differential path is valid. These two-bit conditions have 
already been used by Wang et al. in their attacks on the members of the MD4 
family HH Such two-bit conditions occur mostly in the propagation of differ- 
ences through the Boolean function. For example, if an input difference in A,_-| 
at bit position j should result in a zero output difference of /o(A,_i , A,_ 2 , A,_ 3), 
the remaining two input bits should be equal. In this case, we get the two-bit 
condition Ai- 2 ,j = Ai- 3 j. Similar conditions occur not only in the /, , cr, and 
Ei functions but also in the modular additions. 
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Two-bit conditions are not covered by generalized conditions and thus, not 
shown in the characteristics given in |2j. However, two-bit conditions may lead 
to additional inconsistencies. For example, in two subsequent /o functions the 
following two contradicting conditions may occur: 

(Aj_ 2^- = Aj_3j) A (Ai-2,j ^ Ai -3,j)‘ 

Since such contradicting conditions occur only rarely in SHA-1, simple additional 
checks are sufficient to verify whether a given differential characteristic is valid 
at the end of the search. 


VA 0 = [ n n — ] 



VA 3 = [ n n-n-n n-nn n] 


Fig. 3. Example of four cyclic and contradicting two-bit conditions. Such cases com- 
monly occur in SHA-2 and are not covered by generalized conditions. For the two 
So functions (XOR) we have twice So(n, = n which results in the two equalities 
Ai, 2 = Ai,i3 and A2,2 = A243. For the fo function (MAJ) at bit position 2 we get 
/o(-, -,n) = n if and only if A2.2 = Ai, 2, while for bit position 13 we get fo{~, -,n) = - 
if and only if A2,i3 A Ai,i3. Note that in this example, all involved bits of Ei do not 
contain any difference. 


This is not the case in SHA-2. Note that the nonlinear Boolean functions fo 
and /1 update the same bit position of different words, while the linear Si func- 
tions update different bit positions within the same word. Hence, more complex 
cyclic two-bit relations occur. A still simple example is given in Fig0 In this 
case, 4 bits of two Si and two Boolean functions are related in a cyclic form 
which results in a contradiction. We have observed that for a given differen- 
tial characteristic even more complex relations with cycle lengths larger than 
10 commonly occur. Of course already a single contradicting cycle results in an 
impossible differential characteristic. 


4.5 Inconsistency Checks 

To avoid inconsistent differential characteristics, we have evaluated a number 
of checks to detect contradictions as early and efficiently as possible. Note that 
a test which is able to detect many contradictions is usually also less efficient. 
However, also a simple test may detect a contradiction at a later point in the 
search. Due to the high number of complex conditions in SHA-2 and the difficulty 
to detect them we need to make a trade-off here. 
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Two-Bit Condition Check. Two-bit conditions are linear conditions in GF( 2) 
since such conditions can only be either equal (Aij = ij) or non-equal 

(Aij ^ Ai-ij). Contradictions in two-bit condition cycles can be efficiently 
detected by determining all two-bit conditions, setting up a linear system of 
equations and checking if the system can be solved using Gaussian elimination. 
Although a large number of contradictions are detected this way, most charac- 
teristics are still invalid after this check. 

Complete Condition Check. A quite expensive test is to check for every bit 
restricted to or ’x’ whether both possible cases (’O’ and ’ 1 ’ , or ’n’ and 
1 u ’ ) are indeed still valid. If both choices for a single bit are invalid we know that 
the whole characteristic is impossible. Of course these tests can be extended to 
other generalized conditions as well. However, it turned out to be more efficient 
to apply this check only rarely and only to specific conditions during the search. 
Furthermore, we have improved the speed of this complete test by applying it 
only to bits which are restricted by two-bit conditions. 

Complete Condition Check on a Set of Bits. Since even the complete 
condition check is not able to detect many contradictions, we have analyzed 
different variants of setting all possibilities for all or selected combinations of 2, 
3 or 4 bits. Such tests indeed detect more impossible characteristics but are very 
inefficient to compute and thus, cannot be used during the search for differential 
characteristics in SHA-2. 

5 Searching for Differential Characteristics 

In general, our search techniques can be divided into three parts: decision, de- 
duction and backtracking. Note that the same separation is done in many other 
fields, like SAT solvers jSj • The first aspect of our search strategy is the decision, 
where we decide which bit is chosen and which condition is imposed at its posi- 
tion. In the deduction part we compute the propagation of the imposed condition 
and check for contradictions. If a contradiction occurs we need to backtrack and 
undo decisions, which is the third part of the search strategy. A basic search 
strategy to find differential characteristics has been described in j2j and works 
as follows. 

Let U be the set of all ’?’ and ’x\ then repeat the following until U is empty. 

Decision 

1. Pick randomly a bit in U. 

2. Impose a for a ’?’ or randomly a sign (’u’ or ’n’) for ’x’. 

Deduction 

3. Compute the propagation. 

4. If a contradiction is detected start backtracking, else go to step 1. 

Backtracking 

5. Jump back to an earlier state of the search and go to step 1. 
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We have applied this strategy to SHA-2 but could not find a valid differential 
characteristics. In any case at least one of the checks described in Section 14.51 
failed. The reason for this is that conditions which are not covered by generalized 
or two-bit conditions appear much more often in SHA-2 than in SHA-1. Since 
more advanced checks are too expensive, we have developed a more sophisticated 
search strategy to find valid differential characteristics for SHA-2 as described 
in the next section. 


5.1 Search Strategy 

In our approach we already determine some message bits during the search for 
a differential characteristic. Generally speaking, we are combining the search 
for a conforming message pair with the search for a differential characteristic. In 
doing so we consider those bits much earlier, which are involved in many relations 
with other bits. This way, we can detect invalid characteristics at an early stage 
of the search. However, this should not be done too early to not restrict the 
message freedom too much. In addition, we are remembering critical bits during 
the search to improve the backtracking and speed-up the search process. In the 
following we describe the used search strategy in more detail. 

In general we have two phases in our search strategy where different bits are 
chosen (guessed) and we switch between these two dynamically. In the following, 
we describe both phases in detail. Phase 1 can be described as follows. 

Let U be the set of all ’ ? ’ and ’x\ Repeat the following until U is empty: 

Decision 

1. Pick randomly a bit in U. 

2. Impose a for a ’?’ or randomly a sign (’u’ or ’n’) for ’x’. 

Deduction 

3. Compute the propagation as described in Section FOl 

4. If a contradiction is detected start backtracking, else apply the additional 
checks of Section 14.51 

5. Continue with step 1 if all checks passed, if not start backtracking. 

Backtracking 

6. If the decision bit is ’x’ try the second choice for the sign or if the 
decision bit is ’ ? ’ impose a ’ x ’ . 

7. If still a contradiction occurs mark bit as critical. 

8. Jump back until the critical bit ca be resolved. 

9. Continue with step 1. 

Note that, the additional checks in step 4 are optional and a trade-off between 
number of checks and speed has to be done. The additional steps in the back- 
tracking process improve the search speed significantly and prevent that critical 
bits result in a contradiction again. 

Once phase 1 is finished ( U is empty) we continue with phase 2 which can be 
summarized as follows. 
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Let U' be the set of all ’ - ’ with many two-bit conditions. 

Repeat the following until U' is empty: 

Decision 

1. Pick randomly a bit in U' . 

2. Impose randomly a ’O’ or ’ 1 ’ . 

Deduction 

3. Compute the propagation as described in Section E3 

4. If a contradiction is detected start backtracking, else apply additional 
checks from Section PTT1 

5. Continue with step 1 if all checks passed, if not start backtracking. 

Backtracking 

6. Try the second choice of the decision bit. 

7. If still a contradiction occurs mark bit as critical. 

8. Jump back until the critical bit can be resolved. 

9. If necessary jump back to phase 1, otherwise continue with step 1. 

Choosing a decision bit with many two-bit conditions ensures that bits which 
influence a lot of other bits are chosen first. Therefore, many other bits propa- 
gate by defining the value of a single bit. Furthermore, in step 7 and 8 of the 
backtracking we can also mark more than one bit as critical. We want to note 
that due to step 9, we actually switch quite often between both phases in our 
search. 

Additionally, we restart the search from scratch after a certain amount of 
contradictions or iterations to terminate branches which appear to be stuck 
because of exploring a search space far from a solution. 

5.2 Results 

Using the start characteristic given in Table 0 and the search strategy described 
above, we can find a valid characteristic and confirming inputs which result in 
semi-free-collisions for 32 out of 64 steps of SHA-256. An example of a semi-free- 
start for 32 steps is shown in Table El The according differential characteristic 
and the set of conditions is given in Table 0 and Table El The find this example 
for 32 steps our tool was running a few days on a cluster with 32 nodes. 

So far we have only considered semi-free-start collision attacks in which an 
attacker is allowed to choose the chaining value. However, in a collision attack 
on the hash function the chaining value is fixed, which makes an attack much 
more difficult. In order to construct a collision for step-reduced SHA-256, we 
are interested in differential characteristics with no differences in the first few 
message words. Then, the additional freedom in the first message words can be 
used to transform a semi-free-start collision into a real collision. Similar char- 
acteristics have also been used in the collision attacks on 24 steps of SHA-256 

i»P- 

By using a differential characteristic spanning over t = 11 steps with differ- 
ences in only 5 expanded message words and with no differences in the first 7 
message words (see Table El we are able to construct a collision for 27 steps of 
SHA-256. The colliding message pair is shown in Table El and the differential 
characteristic and the set of conditions is given in Table 0 and Table 0 
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6 Conclusions and Future Work 

In this paper, we have presented a collision for 27 and a semi-free-start collision 
for 32 steps of SHA-256 with practical complexity. This significantly improves 
upon the best previously published (semi-free-start) collision attacks on SHA-256 
for up to 24 steps. We have extended and generalized existing approaches and 
developed a fully automatic tool to construct complex differential characteristics 
for SHA-2. 

Our tool extends the techniques proposed by De Canniere and Rechberger to 
construct complex characteristics for SHA-1 using generalized conditions. The 
more complex structure of SHA-256 complicates a direct application of their 
approach. We have identified several problems and have shown how to overcome 
them. Most importantly, a high amount of found differential characteristics are 
invalid due to many contradicting conditions in SHA-2. We have resolved this 
problem by by identifying critical bits during the whole search process, and 
by combining the search for differential characteristics with the computation of 
conforming message pairs. 

To summarize, the search for valid differential characteristics and conforming 
message pairs in SHA-2 is increasingly difficult and unpredictable, compared 
to more simple designs like MD5 and SHA-1. Nevertheless, we were able to 
construct a powerful tool to find practical examples for (semi-free-start) collisions 
in SHA-256 which can also be applied to other ARX based hash functions. 
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A Differential Characteristics and Conditions 


Table 2. Starting point for a semi-free-start collision for 32 steps. Using the alter- 
native description of SHA-2 (Section 14.11 and the notion of generalized conditions 
(Section 14. 211 . 
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Table 4. Semi-free-start collision for 32 steps of SHA-256 


ho 

764d264f 268a3366 285f ecbl 4c389b22 75cd568d f 5c8f99b 6e7a3cc3 Ib4eal34 

K 

764d264f 268a3366 285fecbl 4c389b22 75cd568d f5c8f99b 6e7a3cc3 Ib4eal34 

Aho 

00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 

m 

52a600a8 2c3b8434 ea92dfcf d4eaf9ad b77fe08d 7c50e542 69c783a6 86al4el0 

baf 88b0b 12665efb ce7c3a31 3030f09d 9bd52eb8 7549997e fa976e0d 86ebacbc 


52a600a8 2c3b8434 ea92dfcb 0cdba38b f514e39d 7a5bb4cb ee6bcba6 c58f6a0f 

b2f 78b0b 12665efb ce7c3a31 3030f09d 9bd52eb8 7549997e fa976e0d 86ebacbc 

Am 

00000000 00000000 00000004 d8315a26 426b0310 060b5189 87ac4800 432e241f 

080f0000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 

hi 

d0b41ff a elf 519a2 e3cad2ed al9d5795 906ac05f c995f6c8 cf309f95 9fb9ca57 

h* 

d0b41ff a elf 519a2 e3cad2ed al9d5795 906ac05f c995f6c8 cf309f95 9fb9ca57 

Ah i 

00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
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Table 7. Characteristic for a collision for 27 steps of SHA-256 



Table 8. Collision for 27 steps of SHA-256 


| ho |6a09e667 bb67ae85 3c6ef372 a54ff53a 510e527f 9b05688c If83d9ab 5be0cdl9| 


725a0370 0daa9f lb 071d92df ec8282cl 7913134a bc2eb291 02d33a84 278dfd29 

0c40f 8ea d8bd68a0 0ce670c5 5ec7155d 9f 6407a8 729fbf e8 aa7c7c08 607ae76d 


725a0370 0daa9f lb 071d92df ec8282cl 7913134a bc2eb291 02d33a84 27460e6d 

08c8fbea d8bd68a0 0ce670c5 5ec7155d 9f4425fb 729fbf e8 aa7c7c08 2d32dl29 

Am 

00000000 00000000 00000000 00000000 00000000 00000000 00000000 OOcbf 344 

04880300 00000000 00000000 00000000 00202253 00000000 00000000 4d483644 

hi 5864015f 133494f a fa42bb35 94bc44f9 29eabb36 9e461e33 2eab27f8 106467c9 
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Abstract. ARMADILL02 is the recommended variant of a multi-pur- 
pose cryptographic primitive dedicated to hardware which has been 
proposed by Badel et al. in [Q. In this paper, we describe a meet-in- 
the-middle technique relying on the parallel matching algorithm that 
allows us to invert the ARMADILL02 function. This makes it possible 
to perform a key recovery attack when used as a FIL-MAC. A variant 
of this attack can also be applied to the stream cipher derived from 
the PRNG mode. Finally we propose a (second) preimage attack when 
used as a hash function. We have validated our attacks by implement- 
ing cryptanalysis on scaled variants. The experimental results match the 
theoretical complexities. 

In addition to these attacks, we present a generalization of the parallel 
matching algorithm, which can be applied in a broader context than 
attacking ARMADILL02. 

Keywords: ARMADILL02, meet-in-the-middle, key recovery attack, 
preimage attack, parallel matching algorithm. 


1 Introduction 

ARMADILLO is a multi-purpose cryptographic primitive dedicated to hard- 
ware which was proposed by Badel et al. in p. Two variants were presented: 

ARMADILLO and ARMADILL02, the latter being the recommended version. 
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In the following, the first variant will be denoted ARMADILLO 1 to distin- 
guish it from ARMADILL02. Both variants comprise several versions, each 
one associated to a different set of parameters and to a different security level. 
For both primitives, several applications are proposed: fixed input-length MAC 
(FIL-MAC), pseudo-random number generator/pseudo-random function 
(PRNG/PRF), and hash function. In E|, authors present a polynomial attack 
on ARMADILLOl. Even if the design of ARMADILL02 is similar to the design 
of the first version, authors of Ej claim that this attack can not be applied on 
ARMADILL02. 

The ARMADILLO family uses a parameterized internal permutation as a 
building block. This internal permutation is based on two bitwise permutations 
(Jo and (j -\ . In [Q . these permutations are not specified, but some of the properties 
that they must satisfy are given. 

In this paper we provide the first cryptanalysis of ARMADILL02, the rec- 
ommended variant. As the bitwise permutations <to and <Ji are not specified, 
we have performed our analysis under the reasonable assumption that they be- 
have like random permutations. As a consequence, the results of this paper are 
independent of the choice for ao and o\ . 

To perform our attack, we use a meet-in-the-middle approach and an evolved 
variant of the parallel matching algorithm introduced in j2j and generalized 
in | 50 . Our method enables us to invert the building block of ARMADILL02 
for a chosen value of the public part of the input, when a part of the output is 
known. We can use this step to build key recovery attacks faster than exhaustive 
search on all versions of ARMADILL02 used in the FIL-MAC application mode. 
Besides, we propose several trade-offs for the time and memory needed for these 
attacks. We also adapt the attack to recover the key when ARMADILL02 is used 
as a stream cipher in the PRNG application mode. We further show how to build 
(second) preimage attacks faster than exhaustive search when using the hashing 
mode, and propose again several time-memory trade-offs. We have implemented 
the attacks on a scaled version of ARMADILL02, and the experimental results 
confirm the theoretical predictions. 

Organization of the paper. We briefly describe ARMADILL02 in Section d In 
Section El we detail our technique for inverting its building block and we explain 
how to extend the parallel matching algorithm to the case of ARMADILL02. 
In Section 0 we explain how to apply this technique to build a key recovery 
attack on the FIL-MAC application mode. We briefly show how to adapt this 
attack to the stream cipher scenario in Section 1Q1 The (second) preimage attack 
on the hashing mode is presented in Section E3 In Section El we present the 
experimental results of the verification that we have done on a scaled version of 
the algorithm. Finally, in Section d we propose a general form of the parallel 
matching algorithm derived from our attacks which can hopefully be used in 
more general contexts. 


310 M.A. Abdelraheem et al. 


2 Description of ARMADILL02 

The core of ARMADILLO is based on the so-called data- dependent bit trans- 
positions We recall the description of ARMADILL02 given in [I] using the 
same notations. 

2.1 Description 

Let C be an initial vector of size c and U be a message block of size m. The size 
of the register (C\\U) is k = c+ m. The ARMADILL02 function transforms the 
vector ( C , U) into ( V c , V t ) as described in Figured 
ARMADILL02 : F§ x Fg 1 — > F£ x F£* 

(C, U) i — ► (V c , Vt) = ARMADILL02((7, U). 

The function ARMADILL02 relies on an internal bitwise parameterized permu- 
tation denoted by Q which is defined by a parameter A of size a and is applied 
to a vector B of size k: 

Q : FgxF§^F§ 

(A,B) »Q(A,B) = Q a (B) 



Let ctq and cr\ be two fixed bitwise permutations of size k. In the per- 
mutations are not defined but some criteria they should fulfil are given. As the 
attacks presented in this paper are valid for any bitwise permutations, we do 
not describe these properties. We just stress that in the following, when com- 
puting the complexities we assume that these permutations behave like random 
ones. We denote by 7 a constant of size k defined by alternating 0’s and l’s: 
7= 1010- • -10. 
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Using these notations, we can define Q which is used twice in the 
ARMADILL02 function. Let A be a parameter and B be the internal state, 
the parameterized permutation Q (that we denote by Qa when indicating the 
parameter is necessary) consists in a = \A\ simple steps. The i-th step of Q 
(reading A from its least significant bit to its most significant one) is defined by: 

— an elementary bitwise permutation: B «— a a/B), that is: 

• if the i-th bit of A equals 0 we apply cro to the current state, 

• otherwise (if the i - th bit of A equals 1) we apply o\ to the current state, 

- a constant addition (bitwise xor) of 7: 7. 

Using the definition of the permutation Q , we can describe the function 
ARMADILL02. Let (C, U) be the input, then ARMADILLO 2 ( C, U ) is defined 
by: 


- first compute X <— Qu(C\\U) 

- then compute Y <— Qx{C\\U) 

- finally compute (U c ||U t ) <— Y 8 X, the output is ( V c ,V t ). 

Actually c and rn can take different values depending on the required security 
level. A summary of the sets of parameters for the different versions (A, B, C, 
D or E) proposed in PJ is given in Table El 


Table 1 . Sets of parameters for the different versions of ARMADILL02 

Version k c m 

A 128 80 48“ 

B 192 128 64 

C 240 160 80 

D 288 192 96 

E 384 256 128 


2.2 A Multi-purpose Cryptographic Primitive 

The general-purpose cryptographic function ARMADILL02 can be used for 
three types of applications: FIL-MAC, hashing, and PRNG/PRF. 

ARMADILLO# in FIL-MAC mode. The secret key is C and the challenge, 
considered known by the attacker, is U. The response is V t . 

ARMADILLO# in hashing mode. It uses a strengthened Merkle-Damgard con- 
struction, where V c is the chaining value or the hash digest, and U is the message 
block. 

ARMADILLO# in PRNG/PRF mode. The output sequence is obtained by tak- 
ing the first t bits of (V c , V t ) after at least r iterations. For ARMADILL02 the 
proposed values are r = 1 and t = k (see [H Sec. 6]). When used as a stream 
cipher, the secret key is C. The keystream is composed of fc-bit frames indexed 
by U which is a public value. 
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3 Inverting the ARMADILL02 Function 

In P a sketch of a meet-in-the-middle (MITM) attack on ARMADILLO 1, the 
first variant of the primitive, is given by the authors to prove lower bounds 
for the complexity and justify the choice of parameters. However, they do not 
develop further their analysis. 

In this section we describe how to invert the ARMADILL02 function when 
a part of the output (V c , V t ) is known and U is chosen in the input (C\\U). 
Inverting means that we recover C. The method we present can be performed 
for any arbitrary bitwise permutations cro and o\. To conduct our analysis we 
suppose that they behave like random ones. Indeed, if the permutations oo and 
a i were not behaving like random ones, one could exploit their distributions to 
reduce the complexities of the attacks presented in this paper. Therefore, we are 
considering the worst case scenario for an attacker. 

First, we describe the meet-in-the-middle technique we use. It provides two 
lists of partial states in the middle of the main permutation Qx- To determine a 
list of possible values for C, we need to select a subset of the cartesian product 
of these two lists containing consistent couples of partial states. To build such a 
subset efficiently, we explain how to use an adaptation of the parallel matching 
algorithm presented in m Then we present and apply the adapted algorithm 
and compute its time and memory complexities. 

All cryptanalysis, we present, on the different applications of ARMADILL02 
relies on the technique for recovering C presented in this section. 

3.1 The Meet-in-the-Middle Technique 

Whatever mode ARMADILL02 is embedded in, we use the following facts: 

— We can choose the m-bit vector U, in the input vector (C\\U). 

— We know part of the output vector {V c \\V t ). the m-bit vector V t in the FIL- 
MAC, the (c+m)-bit vector (W||F t ) in the PRNG/PRF and the c-bit vector 
V c in the hash function. 

We deal with two permutations: the pre-processing Qu which is known as U 
is known and the main permutation Qx which is unknown, and we exploit the 
three following equations: 

— The permutation Qu used in the pre-processing X = Qu(C\\U) is known. 
This implies that all the known bits in the input of the permutation can 
be traced to their corresponding positions in X. For instance, there are m 
coordinates of X whose values are determined by choosing U. 

— The output of the main permutation Y = (V c \\Vt)®X implies we know some 
bits of Y. The amount of known bits of Y is denoted by y and is depending 
on the mode we are focusing on through (F c || Vj). 

— In the sequel, we divide X in two parts: X = (A out || A; n ). Then, the main 
permutation Y = Qx(C\\U) can be divided in two parts: Qx in and Qx„ ut 
separated by a division line we call the middle , hence we perform the meet- 
in-the-middle technique between Qx la and Qxl nt ■ 
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As (A out ||A'i n ) = Qu(C\\U), we denote by rni n (resp. m out ) the number of bits 
of U that are in X in (resp. X ou t)- We have m ou t + m in = m. We denote by 
£; n (resp. 4ut) the number of bits coming from C in X\ n (resp. A out ). We have 
fout+tin = c. The meet-in-the-middle attack is done by guessing the £\ n unknown 
bits of X in and the £ out unknown bits of X out independently. 

First, consider the forward direction. We can trace the l- nl unknown bits of 
Wi n back to C with Qj/ ■ Next, for each possible guess of X- m , we can trace the 
corresponding bits from C plus the m bits from U to their positions in the 
middle by computing Qx in (C\\U). Then consider the backward direction, we can 
trace the y known bits of Y back to the middle for each possible guess of X out , 
that is computing Q^ 1 (T). This way we can obtain two lists T; n and T out , of 
size 2 f:in and 2 f:<:mt respectively, of elements that represent partially known states 
in the middle of Qx- 

To describe our meet-in-the-middle attack we represent the partial states in 
the middle of Qx as ternary vectors with coordinate values from {0,1,—}, where 
— denotes a coordinate (or cell) whose value is unknown. We say that a cell is 
active if it contains 0 or 1 and inactive otherwise. The weight of a vector V, 
denoted by wt(F), is the number of its active cells. Two partial states are a 
match if their colliding active cells have the same values. 

The list Ti n contains elements Qx in (C\\U) whose weight is x = t- in + m. The 
list Tout contains elements Qx] mt (T) whose weight is y. When taking one element 
from each list, the probability of finding a match will then depend on the number 
of collisions of active cells between these two elements. 



Fig. 2. Overview of the inversion of the ARMADILL02 core function 

Consider a vector A in {0, 1, — } k with weight a. We denote by P[k, a ,b] (*) the 
probability over all the vectors B £ {0, 1, — } k with weight b of having i active 
cells at the same positions in A and B. This event corresponds to the situation 
where there are i active cells of B among the a active positions in A and the 
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remaining (6 — i ) active cells of B lie in the ( k — a) inactive positions in A. As 
the number of vectors of length k and weight b is ( 6 ), we have: 


P [k,a,b](i) = 


G)(t?) 

0 


a 


Taking into account the probability of having active cells at the same positions 
in a pair of elements from (T in , T out ) and the probability that these active cells 
do have the same value, we can compute the expected probability of finding a 
match for a pair of elements, that we will denote 2 -JVco11 . We have: 


^E 2 " 5 


This means that there will be a possible match with a probability of 2 -JVco11 . In 
total we will find 2^ in+ ^ out-JVco11 pairs of elements that pass this test. Each pair 
of elements defines a whole C value. Next, we just have to check which of these 
values is the correct one. 

The big question now is that of the cost of checking which elements of the two 
lists Tin and T out pass the test. The ternary alphabet of the elements and the 
changing positions of the active cells make it impossible to apply the approach 
of traditional MITM attacks — having an ordered list C m and checking for 
each element in the list £ out if a match exists with cost 1 per element. Even 
more, a priori, for each element in Tj n we would have to try if it matches each 
of the elements from T out independently, which would yield the complexity of 
exhaustive search. 

For solving this problem we adapt the algorithm described in £3 Sec. 2.3] as 
parallel matching to the case of ARMADILL02. A generalized version of the 
algorithm is exposed in Section 0 with detailed complexity calculations and the 
link to our application case. 

3.2 ARMADILL02 Matching Problem: Matching Non-random 
Elements 

Recently, new algorithms have been proposed in 0 to solve the problem of 
merging several lists of big sizes with respect to a given relation t that can be 
verified by tuples of elements. These new algorithms take advantage of the special 
structures that can be exhibited by t to reduce the complexity of solving this 
problem. As stated in |2j , the problem of merging several lists can be reduced to 
the problem of merging two lists. Hereafter, we recall the reduced Problem 1 
proposed in 0 that we are interested in. 

Problem 1 (13). Let Li and L% be 2 lists of binary vectors of size 2* 1 and 2^ 2 
respectively. We denote by x a vector of Li and by y a vector of L^. 

We assume that vectors x and y can be decomposed into z groups of s bits, 
i.e. x,y £ ({0, l} 8 )* and x = (xi, . . . , x z ) (resp. y = ( y\ , . . . ,y z )). The vectors 
in L\ and L 2 are drawn uniformly and independently at random from {0, l} 82 . 
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Let t be a Boolean function, t : {0, 1} SZ x {0, 1} SZ — > {0, 1} such that there 
exist some functions tj : {0, 1} S X {0, 1} S — » {0, 1} which verify: 

t(x, y) = 1 Vj, 1 <j<z, tjfxj, yj) = 1 . 

Problem 1 consists in computing the setC so i of all 2-tuples ( x , y) of{L\ x Lf) 
verifying t(x,y ) = 1. This operation is called merging the lists Li and L 2 with 
respect to t. 

One of the algorithms proposed in [5J to solve Problem 1 is the parallel matching 
algorithm, which is the one that provides the best time complexity when the 
number of possible associated elements to one element is bigger than the size of 
the other list, i.e., when we can associate by t more than |Z^ 2 1 elements to an 
element from Li as well as more than \L-\ elements to an element from L 2 . 

In our case, the lists £; n and T out correspond to the lists L\ and L -2 to merge 
but the application of this algorithm differs in two aspects. The first one is 
the alphabet, which is not binary anymore but ternary. The second aspect is 
the distribution of vectors in the lists. In Problem 1, the elements are drawn 
uniformly and independently at random while in our case the distribution is 
ruled by the MITM technique we use. For instance, all the elements of C m have 
the same weight x and all the elements of >C out have the same weight y, which 
is far from the uniform case. 

The function t is the association rule we use to select suitable vectors from 
Tin and Tout ■ We say that two elements are associated if their colliding active 
cells have the same values. We can now specify a new Problem 1 adapted for 
ARMADILL02: 

ARMADILL02 Problem 1. Let T m and C ou t he 2 lists of ternary vectors of 
size 2 lin and 2 e ° ut respectively. We denote by x a vector of Ci n and by y a vector 
of L out , with x,y £ { 0,1, — } k 

The lists Ci n and C ou t are obtained by the MITM technique described in Para- 
graph Iff. 1\ 

Lett : {0, 1, — } fc x {0, 1, — } k — > {0, 1} be the function defined by t ■ *» t\ -t-z ■ ■ ■ bt-i 
■ tfc and: 


Vj, 1 < j < k tj : {0, 1 -} x {0, 1 -} -> {0 , 1}, 


Xj 

0 

0 

0 

1 

1 

1 

- 

- 

- 

Vo 

0 

1 

- 

0 

1 

- 

0 

1 

- 

iMvb •//;.) II 1 1 

LU 

LU 

mn 

LU 

UJ 

LU 

l±\ 


We say that x and y are associated ift(x,y ) = 1. 

ARMADILL02 Problem 1 consists in merging the lists Ci n and C out with 
respect to t. 

We can now adapt the parallel matching algorithm to ARMADILL02 

Problem 1. 
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3.3 Applying the Parallel Matching Algorithm to ARMADILL02 

The principle of the parallel matching algorithm is to consider in parallel the 
possible matches for the a first cells and the next (3 cells in the lists C m and 
£ out . The under lying idea is to improve, when possible, the complexity to find 
all the elements that are a match for the ( a + 0) first cells. To have a match 
between a vector in C in and a vector in T out , the vectors should satisfy: 

- the vector in T in has u of its x active cells among the ( a + 0) first cells; 

- the vector in £ out has v of its y active cells among the ( a + 0) first cells; 

- looking at the (a + 0) first cells, both vectors should have the same value at 
the same active position. 

As x and y are the number of known bits from ( C\\U ) and from Y resp. (see 
Fig. 0), the matching probability on the first ( a + 0) cells is: 

2-AToU 3 = ^2 P[k,c,+ 0 ,x](u) ■ ^2 P[k, a + 0 ,y](v) ■ 53 2“' U '-P[a+/ 3,v,u]( W )' 

u = 0 u=0 ™=0 

This means that we will find 2 c_JV coii partial solutions. For each pair passing 
the test we will have to check next if the remaining k— a — (3 cells are verified. 


«j- v * *■ » W- 

Of P Of 3 Of Of P P P Of 



Fig. 3. Lists used in the parallel matching algorithm 


In a pre-processing phase, we first need to build three lists, namely Ca, Cb, 
C ' B , which are represented in Fig. 0 

List Ca contains all the elements of the form {xf . . . xf y y£) with (xf . . . 
x a) e {0)1) — } a and {yf ■ ■ ■ y&) being associated to {xf . . . x £). The size of 
C A is: 

i^i = E((“) 2i3 “ _i2i ) =7 “ 

List Cb contains all the elements of the form {xf . . . arf , yf . . . yjf) with {xf . . . 
Xp)e{0,l,—}P and {yf, . . . , y^) being associated to {xf , . . . , arf ). The size 
of Cb is: 

i £ *i = £((i) 2i3 *~ i2i ) = 7 p - 
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List CJ B contains for each element (ref . ... .x^ . yf , ... , yf ) in Ln all the ele- 
ments x from £i n such that (x a+ i . . . , x a+ p) = (xf , . . . , Xp). Elements in CJ B 
are of the form (yf , . . . , yp,x i, . . . , Xk ) indexed by (yf . . . , yj, sj, . . . , a; a ). 
The probability for an element in L- m to have i active cells in its next p cells 
is P[k,p, x ]{i)- The size of CJ B is: 

K4I = E 

The cost of building £ B is upper boimded by (\C' B \ +3^), where 3^ captures 
the cases where no element in L- m corresponds to elements in Lb and is 
normally negligible. 

Next, we do the parallel matching. The probability for an element in £ out to have 
i active cells in its a first cells being P[k. a ,y] (*)> for each element (xf. . xf,yf. . .yf) 
in La we consider the 2 <?out elements y from £ out such that (yi , . . . , y a ) = 

(yf , . . . , yf) . Then we check in L' n if elements indexed by (y a +i . . -y a +p , xf . . .xf ) 
exist. If this is the case, we check if each found pair of the form ( x , y) verifies the 
remaining (k — a — pi) cells. As we already noticed, we will find about 2 c_JV coii 
partial solutions for which we will have to check whether or not they meet the 
remaining conditions. 

The time complexity of this algorithm is: 

0 + 7” + 7« + !>0-‘2*2'‘-^, M (i) + ^3«-‘2‘2'- p lt , j . 
The memory complexity is determined by 7 a + 7 13 + \C' B \. We can notice that if 

P <X 

^ 3 T'2^>T Mill(!) > ^2 3““*2*2^°' rt P[k,a,y] (*) , 

2=0 2=0 

we can exchange the roles of L in and L oa t , so that the time complexity remains 
the same but the memory complexity will be reduced. The memory complexity 
is then: 

O + 7^ + min 3 ^W*»P M|Z] (i), 3 ^2^ P [k ^ y] (t) 

4 Meet in the Middle Key Recovery Attacks 

4.1 Key Recovery Attack in the FIL-MAC Setting 

In the FIL-MAC usage scenario, C is the secret key and U is the challenge. 
The response is the m-bit size vector V t . In order to minimize the complexity 
of our attack, we want the number of known bits y from Y to be maximal. As 

1 We can use standard hash tables for storage and look up in constant time. 


1 ) 
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Y = (Vdl Vj) ® X and X = Qu(C\\U) it means that we are interested in having 
the maximum number of bits from U among the m less significant bits of X. 

As we have m bits of freedom in U for choosing the permutation Qu, we need 
the probability of having i known bits (from U) among the m first ones (of X), 
P[k.m,m] ('0; to be bigger than 2 _m . Then to maximize the number of known bits 
in Y, we choose y as follows: 

y=m3X m {i:P [k , m , m] (i)>2-™}. (1) 

For instance for ARMADILL02-A, we have y = 38 with a probability of 2 -4519 > 

2-4S_ 

Then, from now on, we assume that we know y among the m bits of the lower 
part of X and y bits at the same positions of Y. 

Now, we can apply our meet-in-the-middle technique which allows us to re- 
cover the key. We have computed the optimal parameters for the different ver- 
sions of ARMADILL02, with different trade-offs — the generic attack has a 
complexity of 2 C . The results appear in Table 0 

For each version of ARMADILL02 presented in Table 0 the first line corre- 
sponds to the (log 2 of the) size of the lists £\ n and £ out with the smallest time 
complexity. The second line corresponds to the best parameters when limiting 
the memory complexity to 2 45 . In all cases, the complexity is determined by the 
parallel matching part of the attack. The data complexity of all the attacks is 1, 
that is, we only need one pair of plaintext /ciphertext to succeed. 


Table 2. Complexities of the meet-in-the-middle key recovery attack on the FIL-MAC 
application 


Version c m \i ou t | An | a \ 0 |log2(Time compI.)|log 2 (Mem. compl.) 


ARMADILL02-A 80 48 


ARMADILL02-B 128 64 


ARMADILL02-C 160 80 


ARMADILL02-D 192 96 


ARMADILL02-E 256 128 


34 
18 
58 
38 
76 

35 
92 
29 
125 
29 


46 

62 

70 


125 

100 

163 

131 

227 


72.54 

75.05 

117.97 
125.15 
148.00 
156.63 

177.98 
187.86 
237.91 
251.55 


4.2 Key Recovery Attack in the Stream Cipher Setting 

As presented in 0, ARMADILL02 can be used as a PRNG by taking the t first 
bits of (V c ,V t ) after at least r iterations. For ARMADILL02, the authors state 
in 0 Sc. 6] that r = 1 and t = k is a suitable parameter choice. If we want 
to use it as a stream cipher, the secret key is C. The keystream is composed of 
fc-bit frames indexed by U which is a public value. 
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In this setting, we can perform an attack which is similar to the one on the 
FIL-MAC, but with different parameters. As we know more bits of the output 
of Qx, y = m + 4ut, complexities of the key recovery attack are lower. 

In general, the best time complexity is obtained when = i Q u t, as the number 
of known bits at each side is now x = m + £i n in the input and y = m + £ out in 
the output. In this context it also appears that the best time complexity occurs 
when a = /?. There might be a small difference between a and fi when the 
leading term of the time complexity is 2 c ~ N cdu > . 

We present the best complexities we have computed for this attack in Table El 
— the generic attack has a complexity of 2 C . Other time-memory trade-offs 
would be possible. As in the previous section, we give as an example the best 
parameters when limiting the memory complexity to 2 45 . 


Table 3. Complexities of the meet-in-the-middle key recovery attack for the stream 
cipher with various trade-offs 


Version c m \l ou t \ lin \ a \ /3 |log 2 (Time compI.)|log 2 (Mem. compl.) 


ARMADILL02-A 80 48 


ARMADILL02-B 128 64 


ARMADILL02-C 160 80 


ARMADILL02-D 192 96 


ARMADILL02-E 256 128 


40 

27 

64 

29 
80 
26 
96 

30 
128 
30 


19 

16 

32 

16 


14 
1 8 " 

16 

64 

16 


65.23 

71.62 

104.71 

119.69 

130.53 

151.29 

156.35 

184.37 

207.96 

248.66 


62.91 

45 

101.75 

45 

127.49 

45 

153.23 

45 

205.93 

45 


5 (Second) Preimage Attack on the Hashing Applications 

We recall that the hash function built with ARMADILL02 as a compression 
function follows a strengthened Merkle-Damgard construction, where the padding 
includes the message length. In this case C represents the input chaining value, 
U the message block and V c the generated new chaining value and the hash 
digest. In [1 the authors state that (second) preimages are expected with a 
complexity of 2 C , the one of the generic attack. We show, in this section, how to 
build (second) preimage attacks with a smaller complexity. 


5.1 Meet-in-the-Middle (Second) Preimage Attack 

The principle of the attack is represented in Fig. El We first consider that the 
ARMADILL02 function is invertible with a complexity of 2 9 , given an output 
V c and a message block. In the preimage attack, we choose and fix £, the number 
of blocks of the preimage. In the second preimage attack, we can consider the 
length of the given message. Then, given a hash value h: 
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In the backward direction: 

- We invert the insertion of the last block M pa d (padding). This step costs 
2 q in a preimage scenario and 1 in a second preimage one. We get 
ARMADILL02 _1 (/i, M pa d) = S'. 

— Prom state S', we can invert the compression function for 2 6 different 
message blocks Mb with a cost 2 b+q , obtaining 2 b different intermediate 
states: ARMADILL02 - 1 (5' , ,M 6 ) = S". 

In the forward direction: From the initial chaining value, we insert 2“ mes- 
sages of length (£ — 2) blocks, M = Mi||M 2 || . . . obtaining 2° inter- 

mediate states S. This can be done with a complexity of 0((l — 2)2 a ). 

If we find a collision between one of the 2° states S and one of the 2 6 states 
S", we have obtained a (second) preimage that is M\\M b \\M pad . 


Ml— 2 Mb Mpad 



Fig. 4. Representation of the meet-in-the-middle (second) preimage attack 

A collision occurs if a + b > c. The complexity of this attack is 2 a + 2 q + 2 b+q in 
time, where the middle term appears only in the case of a preimage attack and 
is negligible. The memory complexity is about 2 b (plus the memory needed for 
inverting the compression function). So if 2 q < 2°, we can find a and b so that 
2 “ + 2 b+q < 2 C . 

5.2 Inverting the Compression Function 

In the previous section we showed that inverting the compression function for a 
chosen message block and for a given output can be done with a cost of 2 q < 2 C . 
In this section we show how this complexity depends on the chosen message 
block, as the inversion can be seen as a key recovery similar to the one done 
in Sectional In this case we know U (the message block) and V c , and we want 
to find C. When inverting the function with the blocks Mb, we choose message 
blocks ( U ) that define permutations Qu which put most of the m bits from U 
among the c most significant bits of X. This will result in better attacks, as the 
bits in Y known from U do not cost anything and this gives us more freedom 
when choosing the parameters and £ out . 

As before, we have 2 m possibilities for Qu- We denote by n the number of 
bits of U in the c most significant bits of X. The number of message blocks ( U ) 
verifying this condition is: 


-Wlock(^) =2 m P[k tC ,m]( n ) ■ 
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In fact we are interested in the values of n which are the greatest possible (to 
lower the complexity) that still leaves enough message blocks to invert in order 
to obtain S". It means that these values belong to a set {n,;} such that: 

]T AWkK) > 2 b . 

{m} 

As the output is V c , the £ out bits guessed from X are also known bits from the 
output of Qx- The number of known bits of the output of Qx is then defined 
by: 

y = min(c, 4ut + n) 

Compared to the key recovery attack, the number of known bits at the end of the 
permutation Qx is significantly bigger, as we may know up to c bits, while in the 
previous case the maximal number for y was y = max, : ify vm . m ] (*) > 2 -m }. 
To simplify the explanations, we concentrate on the case of ARMADILL02- 
A, that can be directly adapted to any of the other versions. For n = 48 we 
have a probability T’[i 28 , 80 , 48 ] = 2 -44 - 171 . This leaves 2 48-44 171 = 2 3 - 829 message 
blocks to invert which allow us to know y = min (80, £ out + 48) bits from the 
output of Qx- As we need to invert 2 b message blocks, if b is bigger than 3.829, 
we have to consider next the message blocks with n = 47, that allow us to 
know y = min (80, Amt + 47) bits, and so on. For each n considered, the best 
time complexity (2 9n ) for inverting ARMADILL02 might be different, but in 
practice, with at most two consecutive values of n we have enough message 
blocks for building the attack, and the complexity of inverting the compression 
function for these two different types of messages is very similar. 


Table 4. Complexities for inverting the compression function 


Version 

* 

m 

4ut 

fin 

n 

l°g 2 ( 

IVbiock(n)) 

a 

& 

log 2 (Time 
compl.) 

log 2 (Mem. 
compl.) 




35 

45 

47 

9.95 

"22" 

TtT 

65.90 

63.08 




35 

45 

48 

3.83 

22 

16 

65.90 

63.08 

ARMADILL02-A 

80 

48 

20 

60 

47 

9.95 

16 

8 

71.36 

45 




27 

53 

48 

3.83 

11 

16 

71.62 

45 

ARMADILL02-B 

128 

64 

62 

66 

64 

15.89 

33 

30 

104.67 

102.35 

33 

95 

64 

15.89 

6 

16 

120.41 

45 

ARMADILL02-C 

160 


78 

82 

80 

19.82 

41 

38 

130.48 

128.08 


26 

134 

80 

19.82 

11 

16 

152.24 

45 

ARMADILL02-D 

192 

96 

94 

98 

96 

23.74 

49 

46 

156.31 

153.82 


30 

162 

96 

23.74 

8 

16 

184.37 

45 

ARMADILL02-E 

256 

128 

126 

130 

128 

31.58 

65 

62 

207.96 

205.30 

34 

222 

128 

31.58 

5 

16 

249.47 

45 


For instance, in ARMADILL02-A, we consider n = 48,47, associated each to 
2 3 829 and 2 9 96 possible message blocks respectively. The best time complexity 
for inverting the compression function in both cases is 2 948 = 2 94 7 = 2 65 ' 9 , as we 
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can see from Table E| If we want to find the best parameters for a and b in the 
preimage attack, we can consider that a + b = c and 2 b = 2 f ' 48 + 2 b47 , and we 
want that 2“ = 2 b48 2 65 9 + 2 f ' 47 2 65 - 9 = 2 65 9 (2 b48 + 2 f ' 47 ), as the complexity of the 
attack is £>(2“ + 2 65 - 9 (2 b4s + 2 f ' 47 )). So if we choose the parameters correctly, the 
best time complexity will be 0( 2 a+1 ). 

In this particular case the time complexity for n = 48 and for n = 47 is the 
same, so finding the best b and a can be simplified by b = '-^r and a = c — b. 
We obtain b = 7.275, a = 72.95. We see that we do not have enough elements 
with n = 48 for inverting 2 b blocks, but we have enough with n = 47 alone. As 
the complexities are the same in both cases, we can just consider b = 647. The 
best time complexity for the preimage attack that we can obtain is then 2 73 - 95 , 
with a memory complexity of 2 63 08 . Other trade-offs are possible by using other 
parameters for inverting the function, as shown in Table El 

For the other versions of ARMADILL02, the number of message blocks as- 
sociated to y = m is big enough for performing the 2 6 inversions, so we do 
not consider other n’s for computing the (second) preimage complexity. Then, 
b = b m = c 9{ ” =m} and a = c — b m . 

Complexities for preimage attacks on the different versions of ARMADILL02 
are given in Table 0 where we can see two different complexities with different 
trade-offs for each version. 


Table 5. Complexities of the (second) preimages attacks 


Version 

c 

m 

Best 

log 2 (Time 

compl.) 

log 2 (Mem. 
compl.) 

Time-memory trade-off 
log 2 (Time log 2 (Mem. 
compl.) compl.) 

ARMADILL02-A 

80 

48 

73.95 

63.08 

76.81 

45 

ARMADILL02-B 

128 

64 

117.34 

102.35 

125.21 

45 

ARMADILL02-C 

160 

80 

146.24 

128.08 

157.12 

45 

ARMADILL02-D 

192 

96 

175.16 

153.82 

191.19 

45 

ARMADILL02-E 

256 

128 

232.98 

205.30 

253.74 

45 


6 Experimental Verifications 

To verify the above theoretical results, we implemented the proposed key recov- 
ery attacks in the FIL-MAC and stream cipher settings against a scaled version 
of ARMADILL02 that uses a 30-bit key and processes 18-bit messages, i.e. 
c = 30 and m = 18. We performed the attack 10 times for both the FIL-MAC 
and the PRNG settings where at each time we chose random permutations for 
both (To and 01 and random messages U (in the FIL-MAC case U was chosen so 
that we got y bits from U among the m least significant bits of X). 

As for each application the key is a 30-bit key, the generic attack requires 
a time complexity of 2 30 . Using the parallel matching algorithm we decrease 
this complexity. Table El shows that the implementation results are very close 
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to the theoretical estimates, confirming our analysis. We can also mention that 
we exchanged the role of £; n and £ out in our implementation of the attacks to 
minimize the memory needs. 

Table 6. Key recovery attacks against a scaled version of ARMADILL02 in the FIL- 
MAC and PRNG modes 


c m 

Lut 

tin 

a 

P 

y 

l°g 2 (|£B|) 

log 2 (c- 

^■"on 3 ) 

log 2 (Time 
compl.) 

log 2 (Mem. 

compl.) 

FIL-MAC ImpL 3018 

12 

18 

8 

6 

14 

23.477 

27.537 

27.874 

24.066 

Theory 30 18 

12 

18 

8 

6 

14 

23.475 

27.538 

27.874 

24.064 

Im ph 30 18 

14 

16 

7 

6 

32 

22.530 

24.728 

25.396 

22.738 

PRNG Theory 30 lg 

14 

16 

7 

6 

32 

22.530 

24.735 

25.401 

22.738 


7 Generalization of the Parallel Matching Algorithm 

In Sectional we managed to apply the parallel matching algorithm to invert the 
ARMADILL02 function by modifying the merging Problem 1 of j^j ■ 

When the number of possible associated elements to one element is bigger 
than the other list as it is the case for ARMADILL02, we cannot apply a ba- 
sic algorithm like the instant matching algorithm proposed in 0. Instead, we 
can use either the gradual matching or the parallel matching algorithms also 
proposed in |S|. We are going to concentrate on the parallel matching algo- 
rithm which allows a significant reduction of the time complexity of solving 
Problem 1, while allowing several time-memory trade-offs. 

We can state the generalized problem that also covers our attack on 
ARMADILL02 and give the corresponding parallel matching algorithm. We be- 
lieve that this more general problem will be useful for recognizing situations 
where the parallel matching can be applied, and solving them in an automatized 
way. 

7.1 The Generalized Problem 1 

As stated in jSj, Problem 1 for N lists can be reduced to 2 lists, therefore we 
will only consider the problem of merging 2 lists in the sequel. 

Generalized Problem 1. We are given 2 lists, L\ and L? of size 2 (l and 2^ 2 
respectively. We denote by x a vector of Li and by y a vector of L^. Coordinates 
of x and y belong to a general alphabet A. 

We assume that vectors x and y can be decomposed into z groups of s coor- 
dinates, i.e. x,y £ (A s ) z and x = (si, . . . ,x z ) (resp. y = (yi, . . . ,y z )). 

We want to keep pairs of vectors verifying a given relation t: t(x,y) = 1. The 
relation t is group-wise, and is defined by t : (A s ) z x (A s ) z — > {0,1} such that 
there exist some functions t 3 : A s x A s — > {0, 1 } , verifying: 

t(x, y) = 1 Vj, 1 < j < z, tj(xj, yj) = 1. 
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Generalized Problem 1 consists in merging these 2 lists to obtain the set 
L so i of all 2-tuples of {L\ X Lf) verifying t(x, y) = 1. We say that x and y are 
associated in this case. 

In order to analyze the time and memory complexities of the attack we need to 
compute the size of L so \. This quantity depends on the probability that t(x, y) = 
1. More precisely the complexities of the generalized parallel matching algorithm 
depends on the conditional probabilities: Pr yj [tj(xj,yj) = 1 | Xj = a], a G A s . 
We will denote these probabilities by Pj. a , a G A s . 

In the elements of the lists L\ and L -2 were binary (i.e. A = {0, 1}) and 
random, and the probability of each tj of being verified did not depend on the 
elements Xj or y 3 . Let us consider as an example the case where s = 1 and tj 
tests the equality of x 3 and yj. We have: 

Vi, l<j<z, Pj ,0 = Pj,i = ^- 

In the case of the ARMADILL02 cryptanalysis that we present in this paper, 
the alphabet is ternary (i.e. A = {0,1,—}) and the association rule (see. AR- 
MADILLOS Problem\f\) gives: 

2 2 

Vi, 1 < i < z, pj, 0 = -, p jt i = - and pj- = 1 


7.2 Generalized Parallel Matching Algorithm 

First we need to build the three following lists: 

List La, of all the elements of the form (xf , . . . , xf , yf , ■ ■ ■ , yf ) with 

(xf , . . . , xf ) G (A s ) a and (yf , . . . , yf ) being associated by t to (xf , . . . , x f ). 
The size of La is: “ 

i^i= e ni^. (2) 

a£(4»)“M 


where a j is the i-th coordinate of a G (A s )“. 

List Lb, of all the elements of the form (xf , . . . , xf , yf , . . . , yf ) with 

(xf , . . . ,xf) G ( A s ) /3 and (yf , . . . ,y f) being associated by t to (xf , . . . ,xf). 
The size of Lb is ^ 

\£b\= ^ 

be{A‘)^ i=i 

where bj is the i-th coordinate of b G (A' 5 )' 9 . 

List L' b , containing for each element (xf , . . . ,xf , yf , . . . , yf) in Lb all the ele- 
ments x from Li such that (x a+ i . . . , = (xf , . . . , xf ). Elements in L' B 

are of the form (yf , . . . , yf , x i, . . . , x z ) indexecH by (yf . . . , yf , x i, . . . , x a ). 

2 We can use standard hash tables for storage and look up in constant time. 
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If we denote by Pb,[a+i, <*+£], Li the probability of having an element x from 
Li such that (x a+ \, . . . , x a+ p) = b, the size of L' B is: 

144- E ni^r^ 

\j = 1 / 

The cost of building this list is upper-bounded by (\L' B \ + (|-4|)^), where 
the second term captures the cases where no element in Li corresponds to 
elements in C B and should be negligible. 

In the case where 

e fni^) ^p a , Wl , a+/31iL2 < ^ (ni^J ^p b<[a+1MLl 

ae(^*)“\t=i / be(^ s )^Vl =1 / 

we can swap L\ and to reduce the memory complexity of the attack. 

Next, we do the parallel matching. For each element (x ^, . . . , x£,yf, ■ ■ ■ , y„) 
in La we consider the 2^ 2 P (j^,...,j,£),[i, a ],i, a elements y from L 2 such that (y\ . . .y a ) 
= (y ^, . . . , y£) and we checkin L' n if elements indexed by (y a +i ■ ■ -Va+fh xf . . .x£) 
exist. If this is the case, we check if each found pair of the form ( x , y) verifies the 
remaining (k — a — (3) cells. We denote by fi the number of partial solutions for 
which we will have to check whether or not they meet the remaining conditions: 


Q = 2 tl+l * E II Pifri ) p b,[l ,a+P],Li 

be(i‘)“ w v =1 

The time complexity of this algorithm is: 

O ^J7+ \La\ + \Cb\ + 4il + E (n \^\ S Pi^j ) 2 ^ 2 Pa,[/3+l, «*+/?], L-. 


The memory complexity is determined by the size of the hsts La , Lb and L' n . 
Therefore the memory complexity is: 

e e e (nw»*)***^M 

*e(.A a )9=i be(^)3=i b6(^)' 3 V=i / 


7.3 Link with Formulas in the Case of ARMADILLO 

Using the previous formulas for the time and memory complexities, we can re- 
discover formulas of the time and memory complexities we have computed for 
ARMADILL02 (see. Section 13.311 . As these formulas depend essentially on the 
size of the different lists, we simply expose how to find the size of the list | La \ 
using equation Q. 
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For ARMADILL02, the probabilities p ha are independent of the position j 
and Pj. a = 2/3 if and only if a is an active cell. Moreover, in this case, each cell 
is composed of one letter of the alphabet which means that s = 1. And we have: 

m- e £ ir(Cf ,w 

ae(^)“j=i ae{0,i,-} ra i=i v ' 

= g #{ a:w,(a ) = i >3»(|)‘ = g(“) 2 ‘(|)‘ 3 » 

The same method can be applied to find the size of the list Lb and C! B . Here 
we have fi = 2 c ~ n <*m > . 

8 Conclusion 

In this paper, we have presented the first cryptanalysis of ARMADILL02, the 
recommended variant of the ARMADILLO family. We propose a key recovery 
attack on all its versions for the FIL-MAC and the stream cipher mode, which 
works for any bitwise permutations ero and <7 \ . We give several time-memory 
trade-offs for its complexity. We also show how to build (second) preimage at- 
tacks when using the hashing mode. 

Besides the results on ARMADILL02, we have generalized the parallel match- 
ing algorithm presented in |5j for solving a wider Problem 1 which includes the 
cases where the lists to merge do not have random elements. We believe that 
new types of meet-in-the-middle attacks might appear now given this algorithm 
that is cheaper than exhaustive search. 
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Abstract. In this paper we describe the first single-key attack which 
can recover the full key of the full version of Grain-128 for arbitrary keys 
by an algorithm which is significantly faster than exhaustive search (by a 
factor of about 2 38 ). It is based on a new version of a cube tester, which 
uses an improved choice of dynamic variables to eliminate the previously 
made assumption that ten particular key bits are zero. In addition, the 
new attack is much faster than the previous weak-key attack, and has a 
simpler key recovery process. Since it is extremely difficult to mathemat- 
ically analyze the expected behavior of such attacks, we implemented it 
on RIVYERA, which is a new massively parallel reconfigurable hardware, 
and tested its main components for dozens of random keys. These tests 
experimentally verified the correctness and expected complexity of the 
attack, by finding a very significant bias in our new cube tester for about 
7.5% of the keys we tested. This is the first time that the main compo- 
nents of a complex analytical attack are successfully realized against a 
full-size cipher with a special-purpose machine. Moreover, it is also the 
first attack that truly exploits the configurable nature of an FPGA-based 
cryptanalytical hardware. 

Keywords: Grain-128, stream cipher, cryptanalysis, cube attacks, cube 
testers, RIVYERA, experimental verification. 


1 Introduction 

Grain- 128 |3| is a 128-bit variant of the Grain scheme which was selected by the 
eSTREAM project in 2008 as one of the three recommended hardware-efficient 
stream ciphers. The only single-key attacks published so far on this scheme 
which were substantially faster than exhaustive search were either on a reduced 
number of rounds or on a specific class of weak keys which contains about one in 
a thousand keys. In this paper we describe the first attack which can be applied 
to the full scheme with arbitrary keys. It uses an improved cube distinguisher 
with new dynamic variables, which makes it possible to attack Grain-128 with 
no restriction on the key. Its main components were experimentally verified by 
running a 50-dimensional cube tester for 107 random keys and discovering a very 

D.H. Lee and X. Wang (Eds.): ASIACRYPT 2011, LNCS 7073, pp. 327-1343, 12011. 
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strong bias (of 50 zeroes out of 51 bits) in about 7.5% of these keys. For these 
keys, we expect the running time of our new attack to be about 2 38 times faster 
than exhaustive search, using 2 63 bits of memory. Our attack is thus both faster 
and more general than the best previous attack on Grain- 128 jTJ, which was a 
weak-key attack on one in a thousand keys which was only 2 15 times faster than 
exhaustive search. However, our attack does not seem to threaten the security 
of the original 80-bit Grain scheme. 

In order to develop and experimentally verify the main components of the 
attack, we had to run thousands of summations over cubes of dimension 49 
and 50 for dozens of randomly chosen keys, where each summation required the 
evaluation of 2 49 or 2 50 output bits of Grain-128 (running the time-consuming 
initialization phase of Grain-128 for about 2 56 different key and IV values). 
This process is hardware-oriented, highly parallelizable, and well beyond the 
capabilities of a standard cluster of PC’s. We thus decided to implement the 
attack on a new type of special purpose hardware consisting of 128 Spartan-3 
FPGAs. 

Special-purpose hardware, i. e., computing machines dedicated to cryptanalyt- 
ical problems, have a long tradition in code-breaking, including attacks against 
the Enigma cipher during WWII D2J. Their use is promising if two conditions 
are fulfilled. First, the complexity of the cryptanalytical problem must be in the 
range of approximately 2 50 . . . 2 64 operations. For problems with a lower com- 
plexity conventional computer clusters are typically sufficient, such as the linear 
cryptanalysis attack against DES [d (which required 2 43 DES evaluations), 
and more than 2 64 operations are difficult to achieve with today’s technology 
unless extremely large budgets are available. The second condition is that the 
computations involved are suited for customized hardware architectures, which 
is often the case in symmetric cryptanalysis. Both conditions are fulfilled for the 
building blocks of the Grain- 128 attack described in this paper. 

Even though it is widely speculated that government organizations have been 
using special-purpose hardware for a long time, there are only two confirmed 
reports about cryptanalytical machines in the open literature. In 1998, Deep 
Crack, an ASIC-based machine dedicated to brute- forcing DES, was introduced 
fTKl| . In 2006, COPACOBANA also allowed exhaustive key searches of DES, and 
in addition cryptanalysis of other ciphers D3- However, in the latter case often 
only very small-scale versions of the ciphers are vulnerable. The paper at hand 
extends the previous work with respect to cryptanalysis with dedicated hard- 
ware in several ways. Our work is the first time that the main components of 
a complex analytical attack, i. e. , not merely an exhaustive search, are success- 
fully realized in a public way against a full-size cipher by using a special-purpose 
machine (previous attacks were either a simple exhaustive search sped up by a 
special-purpose hardware, or advanced attacks such as linear cryptanalysis which 
were realized in software on multiple workstations). Also, this is the first attack 
which makes use of the reconfigurable nature of the hardware. Our RIVYERA 
computer, consisting of 128 large FPGAs, is the most powerful cryptanalyti- 
cal machine available outside government agencies (possessing more than four 
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times as many logic resources as the COPACOBANA machine). This makes our 
attack an interesting case study about what type of cryptanalysis can be done 
with “university budgets” (as opposed to government budgets). As a final re- 
mark, it is worth noting that the same attack implemented on GPU clusters 
would require an extremely large number of graphic cards, which would not only 
require a very high budget but would consume considerably more electric energy 
to perform the same computations. 

In the first part of this paper, we give the necessary background regarding 
Grain- 128 and dynamic cube attacks and describe our new attack on Grain- 128. 
In the second part of the paper, we present our FPGA implementation in detail. 

2 Preliminaries 

In this section we give a short description of Grain- 128 j3J, of cube testers (which 
were introduced in j2j), and of dynamic cube attacks (developed in JJ). 

2.1 Description on Grain-128 

The state of Grain- 128 consists of a 128-bit LFSR and a 128-bit NFSR. The 
feedback functions of the LFSR and NFSR are respectively defined to be 

Si+128 = Si + Sj + 7 + Sj+38 + Sj+70 + Sj+81 + Sj+96 

bi+ 128 = Si + bi + bi + 2G + bi + 56 + bi + 91 + 6j + 96 + 6i+ 3 bi + 67 + &i+ll&i+13 + &i+17&i+18 + 
bi+27bi+59 + bi+4ob i+ 4s + &j +6 i& i+ 65 + &i+68&i+84 

The output function is defined as 

z i = YljeA bii-j + h{x) + Si + g 3 , where A = {2, 15, 36, 45, 64, 73, 89}. 
h{ x) = xoxi + X2X3 + X4X5 + xexy + X0X4X8 

where the variables xo, £ 1 , £ 2 , £ 3 , £ 4 , £ 5 , £ 6 ; £7 and Xg correspond to the tap 
positions b i+ i 2 , s l+ g, s i+ 13 , s i+ 2 o, ^+ 95 , s i+ 42 , Si+ 60 , s i+ 79 and .s , +95 respectively. 

Grain-128 is initialized with a 128-bit key that is loaded into the NFSR, and with 
a 96-bit IV that is loaded into the LFSR, while the remaining 32 LFSR bits are 
filled with l’s. The state is then clocked through 256 initialization rounds without 
producing an output, feeding the output back into the input of both registers. 

2.2 Previous Results on Grain-128 

All the previously published single-key attacks 02, ©,IZ! and jS|) on Grain- 

128 which are substantially better than exhaustive search can only deal with 
simplified versions of the cryptosystem. In j^J a sliding property was used to 
speed-up exhaustive search by a factor of two. Related-key attacks on the full 
cipher were presented in mu- However, the relevance of related-key attacks is 
disputed, and in this paper we concentrate on attacks in the single key model. 
The only significant known attack on the full version of Grain-128 in the single 
key model is given in |TJ , where dynamic cube attacks are used to break a 
particular subset of weak keys, which contains the 2“ 10 fraction of keys in which 
ten specific key bits are all zero. The attack is faster than exhaustive search 
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in this weak key set by a factor of about 2 15 . For the remaining 0.999 fraction 
of keys, there is no known attack which is significantly faster than exhaustive 
search. 


2.3 Cube Testers 

In almost any cryptographic scheme, each output bit can be described by a mul- 
tivariate master polynomial p(x i, .., x n , Vi, ... v m ) over GF(2) of secret variables 
Xi (key bits), and public variables Vj (plaintext bits in block ciphers and MACs, 
IV bits in stream ciphers). This polynomial is usually too large to write down 
or to manipulate in an explicit way, but its values can be evaluated by run- 
ning the cryptographic algorithm as a black box. The cryptanalyst is allowed 
to tweak this master polynomial by assigning chosen values to the public vari- 
ables (which result in multiple derived polynomials), but in single- key attacks 
he cannot modify the secret variables. 

To simplify our notation, we ignore in the rest of this subsection the distinction 
between public and private variables. Given a multivariate master polynomial 
with n variables p(x i, .., x n ) over GF(2) in algebraic normal form (ANF), and a 
term tj containing variables from an index subset I that are multiplied together, 
the polynomial can be written as the sum of terms which are supersets of I and 
terms that miss at least one variable from I: 

P(X 1, X n ) = fj • p S(z) + q(x 1 , .., X n ) 

PS(i) is called the superpoly of I in p. Compared to p, the algebraic degree of the 
superpoly is reduced by at least the number of variables in tj. and its number 
of terms is smaller. 

Cube testers j2| are related to high order differential attacks mi- The basic 
idea behind them is that the symbolic sum over GF(2) of all the derived poly- 
nomials obtained from the master polynomial by assigning all the possible 0/1 
values to the subset of variables in the term tj is exactly Ps{i) which is the su- 
perpoly of tj in p(x i, .., x n ). This simplified polynomial is more likely to exhibit 
non-random properties than the original polynomial P. 

Cube testers work by evaluating superpolys of carefully selected terms tj 
which are products of public variables, and trying to distinguish them from a 
random function. One of the natural properties that can be tested is balance: 
A random function is expected to contain as many zeroes as ones in its truth 
table. A superpoly that has a strongly unbalanced truth table can thus be used 
to distinguish the cryptosystem from a random polynomial by testing whether 
the sum of output values over an appropriate boolean cube evaluates as often to 
one as to zero (as a function of the public bits which are not summed over). 

2.4 Dynamic Cube Attacks 

Dynamic Cube Attacks exploit distinguishers obtained from cube testers to re- 
cover some secret key bits. This is reminiscent of the way that distinguishers 
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are used in differential attacks to recover the last subkey in an iterated cryp- 
tosystem. In static cube testers (and other related attacks such as the original 
cube attack [321, and AIDA m ), the values of all the public variables that are 
not summed over are fixed to a constant (usually zero) , and thus they are called 
static variables. However, in dynamic cube attacks the values of some of the 
public variables that are not part of the cube are not fixed. Instead, each one 
of these variables (called dynamic variables) is assigned a function that depends 
on some of the cube public variables and on some private variables. Each such 
function is carefully chosen in order to simplify the resultant superpoly and thus 
to amplify the expected bias (or the non-randomness in general) of the cube 
tester. 

The basic steps of the attack are briefly summarized below (for more details 
refer to P], where the notion of dynamic cube attacks was introduced). 

A preprocessing stage: We first choose some polynomials that we want to set 
to zero at all the vertices of the cube, and show how to nullify them by setting 
certain dynamic variables to appropriate expressions in terms of the other public 
and secret variables. To minimize the number of evaluations of the cryptosystem, 
we choose a big cube of dimension d and a set of subcubes to sum over during the 
online phase. We usually choose the subcubes of the highest dimension (namely 
d and d — 1), which are the most likely to give a biased sum. We then determine 
a set of e expressions in the private variables that need to be guessed by the 
attacker in order to calculate the values of the dynamic variables during the 
cube summations. 

Note that these steps have to be done only once for each cryptosystem, and 
the chosen parameters determine the running time and success probabilities of 
the actual attack, in the same way that finding a good differential property can 
improve the complexity of differential attacks on a cryptosystem. 

The online phase of the attack has two parts: 


Online Step 1 

1. For each possible vector of values for the e secret expressions, sum modulo 
2 the output bits over the subcubes chosen during preprocessing with the 
dynamic variables set accordingly, and obtain a list of sums (one bit per 
subcube). 

2. Given the list of sums, calculate its score by measuring the non-randomness 
in the subcube sums. The output of this step is a sequence of lists sorted 
from the lowest score to the highest (in our notation the fist with the lowest 
score has the largest bias, and is thus the most likely to be correct in our 
attack). 

Given that the dimension of our big cube is d, the complexity of summing over 
all its subcubes is bounded by d2 d (using the Moebius transform 1 1 2j i . Assuming 
that we have to guess the values of e secret expressions in order to determine 
the values of the dynamic variables, the complexity of this step is bounded by 
d2 d+e bit operations. Assuming that we have y dynamic variables, both the data 
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and memory complexities are bounded by 2 d+v (since it is sufficient to obtain 
an output bit for every possible vertex of the cube and for every possible value 
of the dynamic variables). 


Online Step 2. Given the sorted guess score fist, we determine the most likely 
values for the secret expressions, for a subset of the secret expressions, or for the 
entire key. The specific details of this step vary according to the attack. 


2.5 A Partial Simulation Phase 

The complexity of executing online step 1 of the attack for a single key is d2 d+e 
bit operations and 2 d+y cipher executions. In the case of Grain-128, these com- 
plexities are too high and thus we have to experimentally verify our attack with 
a simpler procedure. Our solution is to calculate the cube summations in online 
step 1 only for the correct guess of the e secret expressions. We then calculate the 
score of the correct guess and estimate its expected position g in the sorted fist 
of score values by assuming that incorrect guesses will make the scheme behave 
as a random function. Consequently, if the cube sums for the correct guess detect 
a property that is satisfied by a random cipher with probability p, we estimate 
that the location of the correct guess in the sorted fist will be g « max{p x 2 e , 1} 
(as justified in P). 

3 A New Approach for Attacking Grain-128 

The starting point of our new attack on Grain- 128 is the weak- key attack de- 
scribed in JU and we repeat it here for the sake of completeness. Both our new 
attack and the attack described in [Tj use only the first output bit of Grain-128 
(with index i = 257). The output function of the cipher is a multivariate poly- 
nomial of degree 3 in the state, and its only term of degree 3 is f>i+i2&!;+95Si+95- 
Since this term is likely to contribute the most to the high degree terms in the 
output polynomial, we try to nullify it. Since 6j+i2 is the state bit that is cal- 
culated at the earliest stage of the initialization steps (compared to 6*+ 95 and 
Sj + 95), it should be the least complicated to nullify. However, after many ini- 
tialization steps, the ANF of bi + 12 becomes very complicated and it does not 
seem possible to nullify it in a direct way. Instead, the idea in P is to simplify 
(and not nullify) 6 t + 12 61+95.31+95, by nullifying 6j_ 21 (which participated in the 
most significant terms of 6^+12, 63+95 and Si+gs). The ANF of the earlier 6j_ 21 is 
much easier to analyze compared to the one of 61+12, but it is still very complex. 
The solution adopted in |TJ was to assume that 10 specific key bits are set to 0. 
This leads to a weak- key attack on Grain- 128 which can only attack a particular 
fraction of 0.001 of the keys. 

In order to attack a significant portion of all the possible keys, we use a 
different approach which nullifies state bits that are produced at an earlier stage 
of the encryption process. This approach weakens the resistance of the output 
of Grain-128 to cube testers, but in a more indirect way. In fact, the output 
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function is a higher degree polynomial which can be more resistant to cube testers 
compared to [Q. This forces us to slightly increase the dimension d from 46 to 50. 
On the other hand, since we choose to nullify state bits that are produced at an 
earlier stage of the encryption process, their ANF is relatively simple and thus 
the number of secret expressions e that we need to guess is reduced from 61 to 
39. Since the complexity of the attack is proportional to d2 d+e , the smaller value 
of e more than compensates for the slightly larger value of d. Our new strategy 
thus yields not only an attack which has a significant probability of success for 
all the keys rather than an attack on a particular subset of weak keys, but also 
a better improvement factor over exhaustive search (details are given at the end 
of this section). 

In the new attack we decided to nullify 6,-54. This simplifies the ANF of the 
output function in two ways: It nullifies the ANF of the most significant term 
of 6j_2i (the only term of degree 3), which has a large influence on the ANF of 
the output. In addition, setting 6^-54 to zero nullifies the most significant terms 
of 6,+62 and .s,; + 62 , simplifying their ANF. This simplifies the ANF of the most 
significant terms of 6,4-95 and 3*4-95 , both participating in the most significant 
term of the output function. In addition to nullifying 6^-54, we nullify the most 
significant term of 644-12 (which has a large influence on the ANF of the output, 
as described in the first paragraph of this section), 64-10464-21 S‘i-21 , by nullifying 
6,-104- 

The parameter set we used for the new attack is given in table Q Most of the 
dynamic variables are used in order to simplify the ANF of 64-54 = 6203 so that 
we can nullify it using one more dynamic variable with acceptable complexity. 
We now describe in detail how to perform the online phase of the attack, given 
this parameter set. Before executing these steps, one should take the following 
preparation steps in order to determine the list of e secret expressions in the key 
variables we have to guess during the actual attack. 

1. Assign values to the dynamic variables given in tabled This is a very simple 
process which is described in Appendix B of [I] (since the symbolic values of 
the dynamic variables contain hundreds of terms, we do not list them here, 
but rather refer to the process that calculates their values). 

2. Given the symbolic form of a dynamic variable, look for all the terms which 
are combinations of variables from the big cube. 

3. Rewrite the symbolic form as a sum of these terms, each one multiplied by 
an expression containing only secret variables. 

4. Add the expressions of secret variables to the set of expressions that need 
to be guessed. Do not add expressions whose value can be deduced from the 
values of the expressions which are already in the set. 

When we prepare the attack, we initially get 50 secret expressions. However, 
after removing 11 expressions which are dependent on the rest, the number of 
expressions that need to be guessed is reduced to 39. We are now ready to execute 
the online phase of the attack: 
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1. Obtain the first output bit produced by Grain-128 (after the full 256 ini- 
tialization steps) with the fixed secret key and all the possible values of the 
variables of the big cube and the dynamic variables given in table Q (the 
remaining public variables are set to zero). The dimension of the big cube 
is 50 and we have 13 dynamic variables and thus the total amount of data 
and memory required is 2 50+13 = 2 63 bits. 

2. We have 2 39 possible guesses for the secret expressions. Allocate a guess score 
array of 2 39 entries (an entry per guess). For each possible value (guess) of 
the secret expressions: 

(a) Plug the values of these expressions into the dynamic variables (which 
thus become a function of the cube variables, but not the secret vari- 
ables). 

(b) Our big cube in table His of dimension 50. Allocate an array of 2 50 bit 
entries. For each possible assignment to the cube variables: 

i. Calculate the values of the dynamic variables and obtain the corre- 
sponding output bit of Grain- 128 from the data. 

ii. Copy the value of the output bit to the array entry whose index 
corresponds to the assignment of the cube variables. 

(c) Given the 2 50 -bit array, sum over all the entry values that correspond to 
the 51 subcubes of the big cube which are of dimension 49 and 50. When 
summing over 49-dimensional cubes, keep the cube variable that is not 
summed over to zero. This step gives a list of 51 bits (subcube sums). 

(d) Given the 51 sums, calculate the score of the guess by measuring the 
fraction of bits which are equal to 1. Copy the score to the appropriate 
entry in the guess score array and continue to the next guess (item 2). 
If no more guesses remain go to the next step. 

3. Sort the 2 39 guess scores from the lowest score to the highest. 

To justify item 2.c, we note that the largest biases are likely to be created by 
the largest cubes, and thus we only use cubes of dimension 50 and 49. To justify 
item 2.d, we note that the cube summations tend to yield sparse superpolys, 
which are all biased towards 0, and thus we can use the number of zeroes as a 
measure of non-randomness. The big cube in the parameter set is of dimension 
50, which has 16 times more vertices than the cube used in [T] to attack the weak 
key set. The total complexity of algorithm above is about 50 x 2 50+39 < 2 95 bit 
operations (it is dominated by item 2.c, which is performed once for each of the 
2 39 possible secret expression guesses). 

Given the sorted guess array which is the output of online step 1, we are 
now ready to perform online step 2 of the attack (which recovers the secret key 
without going through the difficult step of solving the large system of polynomial 
equations). In order to optimize this step, we analyze the symbolic form of 
the secret expressions: Out of the 39 expressions (denoted by si,S 2 , ••■, 539 ), 20 
contain only a single key bit (denoted by Si, S 2 , ..., S2o)- Moreover, 18 out of 
the remaining 39 — 20 = 19 expressions (denoted by S 21 , S 22 , ..., sag) are linear 
combinations of key bits, or can be made linear by fixing the values of 45 more key 
bits. Thus, we define the following few sets of linear expressions: Set 1 contains 
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the 20 secret key bits si, S 2 , S 20 - Set 2 contains the 45 key bits whose choice 
simplifies S 21 , S 22 , S 38 into linear expressions. Set 3 contains the 18 linear 

expressions of S 21 , S 22 , •••, +38 after plugging in the values of the 20 + 45 = 65 key 
bits of the first two sets (note that the set itself depends on the values of the key 
bits in the first two sets). Altogether, the first three sets contain 20+45 + 18 = 85 
singletons or linear expressions. Set 4 contains 128—85 = 45 linearly independent 
expressions which form a basis to the complementary subspace spanned by the 
first three sets. Note that given the 128 values of all the expressions contained 
in the 4 sets, it is easy to calculate the 128-bit key. 

Our attack exploits the relatively simple form of 38 out of the 39 secret ex- 
pressions in order to recover the key using basic linear algebra: 

1. Consider the guesses from the lowest score to the highest. For each guess: 

(a) Obtain the value of the key bits of set 1, si, S 2 , •••• £ 20 - 

(b) For each possible possible values of the 45 key bits of set 2: 

i. Plug in the (current) values of the key bits from sets 1 and 2 to the 
expressions of S 21 , S 22 , •••, +38 and obtain set 3. 

ii. Obtain the values of the linear expressions of set 3 from the guess. 

iii. From the first 3 sets, obtain the 45 linear expressions of set 4 using 
Gaussian Elimination. 

iv. For all possible values of the 45 linear expressions of set 4 (iterated 
using Gray Coding to simplify the transitions between values): 

A. Given the values of the expressions of the 4 sets, derive the secret 
key. 

B. Run Grain- 128 with the derived key and compare the result to 
a given (known) key stream. If there is equality, return the full 
key. 

This algorithm contains 3 nested loops. The loop of item 1 is performed g times, 
where g is the expected position of the correct guess in the sorted guess array. 
The loop of item l.b is performed 2 45 times per guess. The loop of item l.b.iv is 
performed 2 45 per iteration of the previous loop. The loop of item l.b contains 
linear algebra in item l.b. iii whose complexity is clearly negligible compared 
to the inner loop of item l.b.iv, which contains 2 45 cipher evaluations. In the 
inner loop of step l.b.iv (in item l.b.iv. A) we need to derive the 128-bit key. In 
general, this is done by multiplying a 128 x 128 matrix with a 128-bit vector that 
corresponds to the values of the linear expressions. However, note that 65 key bits 
(of sets 1 and 2) are already known. Moreover, since we iterate the values of set 
4 using Gray Coding (i. e., we flip the value of a single expression per iteration), 
we only need to perform the multiplication once and then calculate the difference 
from the previous iteration by adding a single vector to the previous value of the 
key. This optimization requires a few dozen bit operations, which is negligible 
compared to running Grain-128 in item l.b.iv.B (which requires at least 1000 
bit operation). Thus, the complexity of the exhaustive search per guess is about 
245+45 _ 2 90 cipher executions, which implies that the total complexity the 
algorithm is about g x 2 90 . 
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The attack is worse than exhaustive search if we have to try all the 2 39 possible 
values of g, and thus it is crucial to provide strong experimental evidence that 
g is relatively small for a large fraction of keys. In order to estimate g, we 
executed the online part of the attack by calculating the score for the correct 
guess of the 39 expression values, and estimating how likely it is to get such a 
bias for incorrect guesses if we assume that they behave as random functions. 
We performed this simulation for 107 randomly chosen keys, out of which 8 gave 
a very significant bias in which at least 50 of the 51 cubes sums were zero. This 
is expected to occur in a random function with probability p < 2 -45 , and thus 
we estimate that for about 7.5% of the keys, g « max{2 -45 x 2 39 , 1} = 1 and 
thus the correct guess of the 39 secret expressions will be the first in the sorted 
score list (additional keys among those we tested had smaller biases, and thus 
a larger g). The complexity of online step 2 of the attack is thus expected to 
be about 2 90 cipher executions, which dominates the complexity of the attack 
(the complexity of online step 1 is about 2 95 bit operations, which we estimate 
as 2 95-10 = 2 85 cipher executions). This gives an improvement factor of 2 38 over 
the 2 128 complexity of exhaustive search for a non-negligible fraction of keys, 
which is significantly better than the improvement factor of 2 15 announced in 
P for the small subset of weak keys considered in that attack. We note that for 
most additional keys there is a continuous tradeoff between the fraction of keys 
that we can attack and the complexity of the attack on these keys. 


Table 1. Parameter set for the attack on the full Grain-128, given output bit 257 


Cube Indexes 

{0,2,4,11,12,13,16,19,21,23,24,27,29,33,35,37,38,41,43,44,46, 47,49,52,53,54,55, 
57,58,59,61,63,65,66,67,69,72,75,76,78,79,81,82,84,85,87,89,90,92,93} 

Dynamic Variables 

{31,3,5,6,8,9,10,15,7,25,42,83,1} 

State Bits Nullified 



4 Description of the Dedicated Hardware Used to Attack 
Grain- 128 

Cube attacks and testers are notoriously difficult to analyze mathematically. To 
test our attack experimentally and to verify its complexity, we had to try dozens 
of random keys, and thus to run thousands of cube summations of dimension 
49 and 50 for multiple random keys. This is only marginally feasible on a large 
cluster of PCs, which are ill-suited for performing computations relying heav- 
ily on bit-permutations as needed for this kind of attack. We thus decided to 
experimentally verify our attack on dedicated reconfigurable hardware. 

4.1 Architectural Considerations 

We start with an evaluation of the online phase of the attack (for the cor- 
rect guess of the 39 secret expression values) regarding possible optimizations in 
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hardware. To get a better understanding of our implementation, we describe the 
basic work-flow in Figure [Q The software implementation of the attack uses a 
parameter set as input, e. g., the cube dimension, the cube itself, a base IV and 
the number of keys to attack. It selects a random key to attack and divides 
the big cube into smaller worker cubes and distributes them to worker threads 
running in parallel. Please note that for simplicity the figure shows only one 
worker. If 2 W workers are used, the iterations per worker are reduced from 2 d to 
2 d-w 



( Update worksum Compute Grain-128 ^Evaluate polynomials and \ 

' 1 ' I \ update dynamic variables J 


Fig. 1. Cube Attack — Program flow for cube dimension d 


The darker nodes and the bold path show the steps of each independent 
thread: As each worker iterates over a distinct subset of the cube, it evaluates 
polynomials on the worker cube (dynamic variables) and updates the IV input to 
Grain-128. Using the generated IV and the random key, it computes the output 
of Grain-128 after the initialization phase. With this output, the thread updates 
an intermediate value — the worker sum — and starts the next iteration. In the 
end, the software combines all worker sums, evaluates the result and can chose 
a new random key to start again. 

With a cube of dimension d, the attack on one key (for the correct guess 
of the 39 secret expression values) computes the first output bit of Grain-128 
2 d times. Thus, in order to speed-up the attack, it is necessary to implement 
Grain-128 as efficiently as possible. The design of the stream cipher is highly 
suitable for hardware implementations: It consists mainly of two shift registers 
and some logic cells. As already proposed for cube testers on Grain-128 in 0, a 
fast and small FPGA implementation is a very good choice in comparison to a 
(bit-sliced) software implementation. 

To create an independent worker on the FPGA, it is also required to im- 
plement the IV generation. To estimate the effort of building a full worker in 
hardware, we need to know how many dynamic inputs we have to consider: While 
dynamic modifications, e. g., iterating over arrays with dynamic step sizes, pose 
no problems in software, they can be very inefficient in hardware. 

In order to compute the cipher, we need a key and an IV. The value of the key 
varies, as it is chosen at random. The IV is a 128 bit value, where each bit utilizes 
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one of three functions: it is either a value given by the base IV provided by the 
parameter set, part of the (worker) cube or a dynamic variable. As the function of 
each bit is modified not only per parameter set, but also when assigning partial 
cubes to different workers, this input also varies. The first two functionalities 
are both restricted and can be realized by simple multiplexers in hardware. 
The dynamic variable on the other hand stores the result of a polynomial. As 
we have no set of pre-defined polynomials and they are derived at runtime, 
every possible combination of boolean functions over the worker cube (and thus 
over the complete 128 bits) must be realized. Even with tight restrictions like a 
maximum of terms per monomial and monomials per polynomial, it is impossible 
to provide the reconfigurable structure in hardware. 

As a consequence, a fully dynamic approach leads to extremely large multi- 
plexers and thus to very high area consumption on the FPGA, which is 
prohibitively slow. The completely opposite approach would be to utilize the 
complete area of an FPGA for massive parallel Grain-128 computations with- 
out additional logic. In this case, the communication between the host and the 
FPGA will be the bottleneck of the system and the parallel cores on the FPGA 
will idle. 

For our attack, we use the RIVYERA special-purpose hardware cluster de- 
scribed in greater detail in Appendix 0 For the following design decisions we re- 
mark that RIVYERA provides 128 powerful Spartan-3 FPGAs, which are tightly 
connected to an integrated server system powered by an Intel Core i7 920 with 
8 logical CPU cores. This allows us to utilize dedicated hardware and use a 
multi-core architecture for the software part. 

In order to implement the attack on the RIVYERA and benefit from its 
massive computing power, we propose the following implementation. Figure El 
shows the design of the modified attack. The software design is split into two 
parts: We use all but one core of the CPU to generate attack specific bitstreams, 
i. e., configuration files for the FPGAs, in parallel to prepare the computation on 
the FPGA cluster. Each of these generated designs configures the RIVYERA for 
a complete attack on one random key provided by the host PC. As soon as one 
bitstream was generated and waits in the queue, the remaining core programs 
all 128 FPGAs with it, starts the attack, waits for the computation to finish and 
stores the results. 

In contrast to the first approach, which uses the generic structure realizable in 
software, we generate custom VHDL code containing constant settings and fixed 
boolean functions of the polynomials derived from the parameter set and the 
provided key. Building specific configuration files for each attack setup allows us 
to implement as many fully functional, independent, parallel workers as possible 
without the area consumption of complex control structures. In addition, only a 
single 7-bit parameter is necessary at runtime - to split the workspace between 
all 128 FPGAs - to start the computation and receive a d-bit return value. This 
efficiently circumvents all of the problems and overhead of a generic hardware 
design at the cost of rerunning the FPGA design flow for each parameter/key 
pair. 
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Please note that in this approach the host software modifies a basic design 
by hard-coding conditions and adjusting internal bus and memory sizes for each 
attack. We optimized the basic layout as much as possible, but the different 
choices of polynomial functions lead to different combinatorial logic paths and 
routing decisions, which can change the critical path in hardware. As the clock 
frequency is linked to the critical path, we implemented different design strategies 
as well as multiple fail-back options to modify the clock frequency constraints 
in order to prevent parameter/key pairs from resulting in an invalid hardware 
configurations. 


4.2 Hardware Implementation Results 

In this section, we give a brief overview of the implementation and present results. 
As the total number of iterations for one attack (for the correct guess of the 39 
secret expression values) is 2 d , the number of workers for an optimal setup has 
to be a power of two. Considering the area of a Spartan-3 5000 FPGA, we chose 
to implement a set of 2 4 independent workers per FPGA. 

FigureBJshows the top level overview. As mentioned before, creating an attack 
specific implementation allows us to strip down the communication interface and 
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Fig. 3. FPGA Implementation of the online phase for cube dimension d 


data paths to a minimum. This is very important as we cannot predict the impact 
of the (unknown) parameters and need to relax the design as much as possible. 

Each of the workers consists of its own IV generator and controls three Grain- 
128 instances. The IV generator needs three clock cycles per IV and we need a 
corresponding number of Grain instances to process the output directly. As it is 
possible to run more than one initialization step per clock cycle in parallel, we 
had to find the most suitable time/area trade-off for the cipher implementation. 
Table 01 shows the synthesis results of our Grain implementation. In comparison, 
Aumasson et al. used 2 5 parallel steps, which is the maximum number of sup- 
ported parallel steps without additional overhead, on the large Virtex-5 LX330 
FPGA used in g|. 


Table 2. Synthesis results of Grain-128 implementation on the Spartan-3 5000 FPGA 
with different numbers of parallel steps per clock cycle 


Parallel Stc 

jps 

2 U 

2 1 

2 2 

2 y 

2 4 

2 b 

Clock Cycl 

es (Init) 

256 

128 

64 

32 

16 

8 

Max. Freqi: 

lency (MHz) 

227 

226 

236 

234 

178 

159 

FPGA Res. 

ources (Slices) 

165 

170 

197 

239 

31 1 

i 1 8 


The resulting attack system for the online phase — consisting of the software 
and the RIVYERA cluster — uses 16 workers per FPGA and 128 FPGAs on 
the cluster in parallel. This means that the number of Grain computations per 
worker is reduced to 2 d ~ 11 . The design ensures that each key can be attacked at 
the highest possible clock frequency, while it tries to keep the building time per 
configuration moderate. 

Table E3 reflects the results of the generation process and the distribution of 
the configurations with respect to the different clock frequencies. It shows that 
the impact of the unknown parameters is predictable and that fallback strategies 
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Table 3. Results of the generation process for cubes of dimension 46, 47 and 50. 
The Duration is the time required for the RIVYERA cluster to complete the online 
phase. The Percentage row gives the percentage of configurations built with the given 
clock frequency out of the total number of configurations built with cubes of the same 
dimension. 


Clock Frequency (MHz) 

100 110 120 

47 

120 

50 

110 120 

Configurations Built 
Percentage 

6.25 43.75 50 

100 

39.2 60.8 

Online Phase Duration 

17.2 min 15.6 min 14.3 min 

28.6 min 

4h 10 min 3h 49 min 


are necessary. Please note that the new attack tries to generate configurations 
for multiple keys in parallel. This process — if several strategies are tried — 
may require more than 6 hours before the first configuration becomes available. 
Smaller cube dimensions, i. e., all cube dimensions lower than 48, result in very 
fast attacks and should be neglected, as the building time will exceed the du- 
ration of the attack in hardware. Further note that the duration of the attack 
increases exponentially in d, e. g., assuming 100 MHz as achievable for larger 
cube dimensions, d = 53 needs 1.5 days and d = 54 needs 3 days. 

5 Conclusions 

We presented the first attack on Grain-128 which is considerably faster than 
exhaustive search, and unlike previous attacks makes no assumptions on the 
secret key. While the full attack is infeasible, we can convincingly estimate its 
results by running a partial version in which all the e unknown secret expressions 
are set to their correct value. Due to its high complexity and hardware-oriented 
nature, the attack was developed and verified using a new type of dedicated 
hardware. Our experimental results show that for about 7.5% of the keys we get 
a huge improvement factor of 2 38 over exhaustive search. 

Acknowledgements. The authors thank Martin Agren and the anonymous 
referees for their very helpful comments on this paper. 

A Design and Architecture of the RIVYERA Cluster 

In this work we employ an enhanced version of the COPACOBANA special- 
purpose hardware cluster that was specifically designed for the task of crypt- 
analysis m- This enhanced cluster (also known as RIVYERA El) is populated 
with 128 Spartan-3 XC3S5000 FPGAs, each tightly coupled with 32MB memory. 
Each Spartan-3 XC3S5000 FPGA provides a sea of logic resources consisting of 
33,280 slices and 104 BRAMs enabling the implementation even of complex func- 
tions in reconfigurable hardware. Eight FPGAs are soldered on individual card 
modules that are plugged into a backplane which implements a global systolic 
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ring bus for high-performance communication. The internal ring bus is further 
connected via PCI Express to a host PC which is also installed in the same 19" 
housing of the cluster. Figure 0] provides an overview of the architecture of the 
RIVYERA special purpose cluster. 



Fig. 4. Architecture of the RIVYERA cluster system 
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Abstract. Since Rijndael was chosen as the Advanced Encryption Stan- 
dard (AES), improving upon 7-round attacks on the 128-bit key variant 
(out of 10 rounds) or upon 8-round attacks on the 192/256-bit key vari- 
ants (out of 12/14 rounds) has been one of the most difficult challenges 
in the cryptanalysis of block ciphers for more than a decade. In this pa- 
per, we present the novel technique of block cipher cryptanalysis with 
bicliques, which leads to the following results: 

— The first key recovery method for the full AES-128 with computa- 
tional complexity 2 126 ' 1 . 

— The first key recovery method for the full AES-192 with computa- 
tional complexity 2 189 ' 7 . 

— The first key recovery method for the full AES-256 with computa- 
tional complexity 2 254 ’ 4 . 

— Key recovery methods with lower complexity for the reduced-round 
versions of AES not considered before, including cryptanalysis of 
8-round AES-128 with complexity 2 124 ' 9 . 

— Preimage search for compression functions based on the full AES 
versions faster than brute force. 

In contrast to most shortcut attacks on AES variants, we do not need to 
assume related-keys. Most of our techniques only need a very small part 
of the codebook and have low memory requirements, and are practically 
verified to a large extent. As our cryptanalysis is of high computational 
complexity, it does not threaten the practical use of AES in any way. 

Keywords: block ciphers, bicliques, AES, key recovery, preimage. 

1 Introduction 

Since the Advanced Encryption Standard competition finished in 2001, the world 
saw little progress in the cryptanalysis of block ciphers. In particular, the current 
standard AES is almost as secure as it was 10 years ago in the strongest and 
most practical model with a single unknown key. The former standard DES has 
not seen a major improvement since Matsui’s seminal paper in 1993 m 

In contrast, the area of hash function cryptanalysis is growing quickly, en- 
couraged by the cryptanalysis of MD5 0, of SHA-0 jE O and SHA-1 

* This is the proceedings version of the paper 0. 

** The authors were visiting Microsoft Research Redmond while working on these 
results. 
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followed by a practical attack on protocols using MD5 mm , preimage attacks 
on Tiger m and MD5 m , etc. While differential cryptanalysis 0], a technique 
originally developed for block ciphers, was initially carried over to hash function 
analysis to enrich the cryptanalytic toolbox for hash functions, now cryptana- 
lysts are looking for the opposite: a method of hash function analysis that would 
give new results on block ciphers. So far the most successful attempt is the anal- 
ysis of AES with local collisions BUD , but it is only applicable in the related-key 
model. In the latter model, an attacker works with plaintexts and ciphertexts 
that are produced under not only the unknown key, but also under other keys 
related to the first one in a way chosen by the adversary. Such a strong require- 
ment is rarely practical and, thus, has not been considered to be a threat for the 
use of AES. Also, there has been no evidence that the local collision approach 
can facilitate an attack in the more practical and relevant single-key model. 

State of the art for attacks on AES. AES with its wide-trail strategy was 
designed to withstand differential and linear cryptanalyses |T3| , so pure versions 
of these techniques have limited applications in attacks. With respect to AES, 
probably the most powerful single-k ey r ecovery methods designed so far are im- 
possible differential cryptanalysis p. Eg] and Square attacks [lj. 2 4 . Impossible 
differential cryptanalysis yielded the first attack on the 7-round AES-128 with 
non-marginal data complexity. The Square attack and its variations such as in- 
tegral attack and multiset attack resulted in the cryptanalysis of round-reduced 
AES variants with lowest computational complexity to date, while the first at- 
tack on 8-round AES-192 with non-marginal data complexity has appeared only 
recently 0. 

The situation is different in weaker attack models, where the related-key crypt- 
analysis was applied to the full versions of AES-192 and AES-256 jjj, and the re- 
bound attack demonstrated a non-random property in 8-round AES-128 mm 
However, there is little evidence so far that carrying over these techniques to the 
most practical single-secret-key model is feasible. Note that no attack against 
the full AES-128 has been known even in the relate-key model or a hash mode. 

Meet-in-the-middle attacks with bicliques. Meet-in-the-middle attacks on 
block ciphers have obtained less attention (see m,mmmmmm for a 
list of the most interesting ones) than the differential, linear, impossible differ- 
ential, and integral approaches. However, they are probably the most practical 
in terms of data complexity. A basic meet-in-the-middle attack requires only 
the information-theoretical minimum of plaintext-ciphertext pairs. The limited 
use of these attacks can be attributed to the requirement for large parts of the 
cipher to be independent of particular key bits. As this requirement is not met 
in AES and most AES candidates, the number of rounds broken with this tech- 
nique is rather small mm, which seems to prevent it from producing results 
on yet unbroken number of rounds in AES. We also mention that the collision 
attacks mm use some elements of the meet-in-the-middle framework. 

In this paper we demonstrate that the meet-in-the-middle attacks on block 
ciphers have great potential if enhanced by a new concept called bicliques. The 
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biclique concept was first introduced for hash cryptanalysis by Savelieva 
et al. m- It originates from the so-called splice-and-cut framework Hi El 
in hash function cryptanalysis, more specifically its element called initial struc- 
ture. The biclique approach led to the best preimage attacks on the SHA family 
of hash functions so far, including the attack on 50 rounds of SHA-512, and the 
first attack on a round-reduced Skein hash function a . We show how to carry 
over the concept of bicliques to block cipher cryptanalysis and get even more 
significant results, including the first key recovery for all versions of the full AES 
faster than brute force. 

A biclique is characterized by its length (number of rounds covered) and 
dimension. The dimension is related to the cardinality of the biclique elements 
and is one of the factors that determines the advantage over brute force. The 
total cost of the key search with bicliques was two main contributors: firstly the 
cost of constructing the bicliques, and secondly the matching computations. 

Two paradigms for key recovery with bicliques. Taking the biclique prop- 
erties into account, we propose two different approaches, or paradigms, for key 
recovery. Suppose that the cipher admits the basic meet-in-the-middle attack on 
m (out of r) rounds. The first paradigm, the long-biclique, aims to construct a 
biclique for the remaining r — m rounds. Though the dimension of the biclique 
decreases as r grows, small-dimension bicliques can be constructed with numer- 
ous tools and methods from differential cryptanalysis of block ciphers and hash 
functions: rebound attacks, trail backtracking, local collisions, etc. Also from an 
information-theoretic point of view, bicliques of dimension 1 are likely to exist 
in a cipher, regardless of the number of rounds. The computational bottleneck 
for this approach is usually the construction of the bicliques. 

The second paradigm, the independent-biclique, aims to construct bicliques 
of higher dimensions for smaller b < (r — to) number of rounds efficiently and 
cover the remaining rounds in a brute-force way with a new method of matching 
with precomputations. The construction of bicliques becomes much simpler with 
this approach, the computational bottleneck is hence the matching computation. 
Even though partial brute-force computations have been considered before for 
cryptanalytically improved preimage search methods for hash functions QA 
we show that its combination with biclique cryptanalysis allows for much larger 
savings of computations. 

Results on AES. The biclique cryptanalysis successfully applies to all full ver- 
sions of AES and compared to brute force provides a computational advantage of 
about a factor 3 to 5, depending on the version. Also, it yields advantages of up 
to a factor 15 for the key recovery of the AES versions with smaller but yet secure 
number of rounds. The largest factors are obtained in the independent-biclique 
paradigm and have success rate 1. We also provide complexities for finding com- 
pression function preimages for all full versions of AES when considered in hash 
modes. Our results on AES are summarized in Table 0and|2| and an attempt to 
give an exhaustive overview with earlier results is given in Tables 0 and 0 The 
“full version” reference refers to 0 - 
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Table 1. Biclique key recovery for AES 


rounds 

data 

comput at ions / succ . rate 

| memory 

| biclique length in rounds 

| reference 

AES-128 secret key recovery 

8 

2 126.33 

2 124.97 

2 102 

5 

Pull version 

8 

2 127 

2 125.64 

2 32 

5 

Pull version 

8 

2 88 

2 125.34 

2 s 

3 

Sec. 0 

10 

2 88 

2 126.18 

2 s 

3 

Sec. 0 

AES-192 secret key recovery 

9 

2 80 

2 188.8 

2 s 

4 

Pull version 

12 

2 80 

2 189.74 

2 s 

4 

Pull version 

AES-256 secret key recovery 

9 

2 120 

2 253.1 

2 s 

6 

Sec. Q 

9 

2 120 

2251-92 

2 s 

4 

Pull version 

14 

2 40 

2 254.42 

2 s 

4 

Pull version 


Table 2. Biclique preimage search of AES in hash modes (compression function) 


rounds 

| computations 

| succ. rate | memory | biclique length in rounds | 

reference 

AES-128 compression function preimage, Miyaguchi-Preneel 

10 

1 

0.632 | 2 8 | 3 

Sec.0 

AES-192 compression function preimage, Davies-Meyer 

12 

| 2425.7! 

0.632 | 2 8 | 4 

Pull version 


AES-256 

compression function preimage, Davies-Meyer 


14 

| ^35 

0.632 | 2 s | 4 

Pull version 


2 Biclique Cryptanalysis 

Now we introduce the concept of biclique cryptanalysis applied to block ciphers. 
To make our approach clear for readers familiar with meet-in-the-middle attacks, 
we introduce most of the terminology while explaining how meet-in-the-middle 
works, and then proceed with bicliques. 

2.1 Basic Meet-in-the-Middle Attack 

An adversary chooses a partition of the key space into groups of keys of car- 
dinality 2 2d each for some d. A key in a group is indexed as an element of a 
2 d x 2 d matrix: K[i,j], The adversary selects an internal variable v in the data 
transform of the cipher such that 

— as a function of a plaintext and a key, it is identical for all keys in a row : 
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— as a function of a ciphertext and a key, it is identical for all keys in a column : 

vJ^C, 


where <j\ and g 2 form the cipher E = <72 0 <7i- 

Given a plaintext-ciphertext pair (P, C) obtained under the secret key K secret , 
an adversary computes 2 d possible values 1? and 2 d possible values V from the 
plaintext and from the ciphertext, respectively. A matching pair "tT* = *v j yields 
a key candidate K[i,j]. The expected number of key candidates depends on the 
bit size |u| of v and is given by the formula 2 2rf A !) . For \v\ close to d and larger, 
an attack has advantage of about 2 d over brute force search as it tests 2 2d keys 
with less than 2 d calls of the full cipher. 

The basic meet-in-the-middle attack has clear limitations in block cipher 
cryptanalysis since an internal variable with the properties listed above can 
be found for a very small number of rounds only. We show how to bypass this 
obstacle with the concept of a biclique. 


2.2 Bicliques 

Now we introduce the notion of a biclique following 0. Let / be a subcipher 
that maps an internal state S to the ciphertext C: Jk(S) = C. f connects 2 d 
internal states { Sj } to 2 d ciphertexts {Q} with 2 2d keys {K[i,j]}: 




'lf[0,0] K[0,1] ... AT[0,2 d -l] 

K[2 d - 1, 0] K[2 d -1,1]... K[2 d - 1, 2 d - 1] 


The 3-tuple [{C*}, {Pj}, {K[i,j}}} is called a d-dimensional biclique, if 

G* = f K[ ij] (Sj) for all i,j £ {0, . . . , 2 d — 1}. (1) 

In other words, in a biclique, the key K[i. j] maps the internal state Sj to the 
ciphertext Ci and vice versa. This is illustrated in Figure Q 


So Si S 2 d-i 


K[ 0, 0] 



— 1, 2 d — 


1] 


Co Ci C 2d _i 


Fig. 1. d-dimensional biclique 
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2.3 The Flow of Biclique Cryptanalysis 

Preparation. An adversary chooses a partition of the key space into groups 
of keys of cardinality 2 2d each for some d and considers the block cipher as a 
composition of two subciphers: e = f a g, where / follows g. A key in a group is 
indexed as an element of a 2 d X 2 d matrix: K[i, j]. 


Step 1. For each group of keys the adversary builds a structure of 2 d ciphertexts 
Cj and 2 d intermediate states Sj with respect to the group of keys {K[i,j]} so 
that the partial decryption of Cj with K[i,j] yields Sj. In other words, the 
structure satisfies the following condition: 

\/i,j : Sj Q. (2) 

Step 2. The adversary asks the oracle to decrypt ciphertexts Cj with the secret 
key K secret and obtains the 2 d plaintexts P r : 

Cj ^Ption oracle > (3) 


Step 3. If one of the tested keys K[i,j\ is the secret key K secre t, then it maps 
intermediate state Sj to the plaintext P t . Therefore, the adversary checks if 

mj-.Pi^hSj. (4) 

9 

A valid pair proposes K[i,j\ as a key candidate. 

3 New Tools and Techniques for Bicliques 

In here we describe two approaches to construct bicliques, and propose a precom- 
putation technique that speeds up the application of bicliques for key recovery. 
The exposition is largely independent of a cipher. 


3.1 Bicliques from Independent Related-Key Differentials 

A straightforward approach to find a d-dimensional biclique would be to fix 2 d 
states and 2 d ciphertexts, and derive a key for each pair to satisfy 0 ■ This would 
require at least 2 2d key recovery attempts for /. A much more efficient way for 
the adversary is to choose the keys in advance and require them to conform to 
specific differentials as follows. 

Let the key K[0, 0] map the intermediate state So to the ciphertext Co, and 
consider two sets of 2 d related-key differentials each over / with respect to the 
base computation Sq Cq: 
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— ^-differentials. A differential in the first set maps the input difference 0 
to an output difference A,- under a key difference Af: 

0 Aj with Aq = 0 and A 0 = 0. (5) 

— Vj-differentials. A differential in the second set maps an input difference 
V, to the output difference 0 under key difference Vf\ 

Vj i — ~ — * 0 with Vjf = 0 and Vo = 0. (6) 

The tuple (So, Co, K[Q, 0]) conforms to both sets of differentials by definition. 
If the trails of A, -differentials do not share active nonlinear components (such 
as active S-boxes in AES) with the trails of Vj-differentials, then the tuple also 
conforms to 2 2d combined (A,, Vj)-differentiaLs: 


Vj t - y- * At for i, j 6 {0, ...,2 d — l}, (7) 

which are obtained by formal xor of differentials Q and Q) (and trails, if neces- 
sary). The proof follows from the fact that an active non-linear element in a trail 
of a combined differential is active in either A- or V-trail, hence its input still con- 
forms to the corresponding trail by the assumption. A more formal and generic 
proof can be derived from the theory of boomerang attacks 0 and particularly 
from the concept of the S-box switch j§] and a sandwich attack |23j| . Since A, ; - 
and Vj -trails share no active non-linear elements, a boomerang based on them 
returns from the ciphertext with probability 1 as the quartet of states forms the 
boomerang rectangle at every step. In the special case where no nontrivial trail 
of one differential intersects with a nontrivial trail of the other differential, the 
differentials are completely independent and can be directly combined. 

Substituting So, Co, and A'[0, 0] to the combined differentials ( 0 ), one obtains: 


ino.oie/ifevf 

So © Vj — — — — *-> Co S 


(8) 


Finally, we put 

Sj = So® Vj, 

Ci = Co © Aj, and 
K[i,j]=K[0,0]®A?®V? 

and get exactly the definition of a d-dimensional biclique ( 0 ). If Aj ^ Vj for 
i+j > 0, then all keys K[i,j] are different. The construction of a biclique is thus 
reduced to the computation of Aj and Vj, which requires no more than 2 • 2 d 
computations of /. 

The independency of the related-key differentials allows one to efficiently con- 
struct higher-dimensional bicliques and simplifies the partition of the key space. 
Though this approach turns out to be effective in the case of AES, the length 
of independent differentials (and hence a biclique) is limited by the diffusion 
properties of the cipher. 
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3.2 Bicliques from Interleaving Related-Key Differential Trails 

The differential independency requirement appears to be a very strong require- 
ment as it clearly limits the biclique length. An alternative way to construct a 
biclique is to consider interleaving differential trails. However, a primitive secure 
against differential cryptanalysis does not admit a long biclique of high dimen- 
sion over itself, as such a biclique would consume too many degrees of freedom. 
For small dimensions, however, the biclique equations admit a rather simple dif- 
ferential representation, which allows a cryptanalyst to involve valuable tools 
from differential cryptanalysis of hash functions. 

We outline here how bicliques of dimension 1 can be constructed in terms 
of differentials and differential trails with a procedure resembling the rebound 
attack We are also able to amortize the construction cost of a biclique 
by producing many more out of a single one. The construction algorithm is 
outlined as follows for a fixed key group {K[0,0], K [0, 1], K[1,0], K[l, 1]}, see 
also Figure El 

— Intermediate state T. Choose an intermediate state T in subcipher / (over 
which the biclique is constructed). The position of T splits / into two parts 
: / = fi ° fi- fi maps Sj to T. f 2 maps T to C*. 

— A- and V-trails. Choose some truncated related-key differential trails: A- 
trails over fi and V-trails over f 2 . 

— Inbound phase. Guess the differences in the differential trails up to T . Get 
the values of T that satisfy the input and output differences over f. 

— Outbound phase. Use the remaining degrees of freedom in the state to 
sustain difference propagation in trails. 

— Output the states for the biclique. 

We stress that the related-key trails are used in the single-key model. 

Numerous optimizations of the outlined biclique construction algorithm are 
possible. For instance, it is not necessary to guess all differences in the trail, 
but only a part of them, and subsequently filter out the solutions. Instead of 
fixing the key group, it is also possible to fix only the difference between keys 
and derive actual values during the attack (the disadvantage of this approach 
is that key groups are generated online, and we have to take care of possible 
repetitions). It is also important to reduce an amortized cost of a biclique by 
producing new ones for other key group by some simple modification. 


3.3 Matching with Precomputations 

Here we describe the idea of matching with precomputations, which provides a 
significant computational advantage due to amortized computations. This is an 
efficient way to check Equation (@J in the procedure of biclique cryptanalysis. 
First, the adversary computes and stores in memory 2 ■ 2 d full computations 

for all i Pi ~v and for all j V < Ji ^ 0 ’^ Sj 
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I II III 


So Si 



Fig. 2. Construction of a 1-dimensional biclique from dependent related-key differential 
trails: Guess difference between computations and derive states S :l and ciphertext Ci 
as conforming elements 


up to some matching variable v, which can be a small part of the internal cipher 
state. Then for particular i.j he recomputes only those parts of the cipher that 
differ from the stored ones: 


Pi 



Si 


The amount of recalculation depends on the diffusion properties of both in- 
ternal rounds and the key schedule of the cipher. The relatively slow diffusion in 
the AES key schedule allows the adversary to skip most recomputations of the 
key schedule operations. 

4 Two Paradigms of Key Recovery 

We have introduced different approaches to construct bicliques and to perform 
matching with precomputations. One may ask which approach is optimal and 
relevant. We have studied several block ciphers and hash functions, including 
different variants of AES, and it turns out that the optimal choice depends 
on a primitive, its diffusion properties, and features of the key schedule. This 
prepares the case to introduce two paradigms for key recovery, which differ both 
methodologically and in their use of tools. 

To put our statement in context, let us consider the basic meet-in-the- middle 
attack (Section^} and assume that it can be applied to m rounds of a primitive, 
while we are going to attack r > m rounds. 

4.1 Long-Biclique 

Our first paradigm aims to construct a biclique over the remaining (r — m) 
rounds so that the basic meet-in-the-middle attack can be applied with negligible 
modification. The first advantage of this approach is that theoretically we can get 
the same advantage as the basic attack if we manage to construct a biclique of 


Biclique Cryptanalysis of the Full AES 353 


appropriate dimension. If the dimension is inevitably small due to the diffusion, 
then we use the second advantage: the biclique construction methods based on 
differential cryptanalysis of block ciphers and hash functions. 

The disadvantage of this paradigm is that the construction of bicliques over 
many rounds is very difficult. Therefore, we are limited in the total number of 
rounds that we can attack. Furthermore, the data complexity can be very large 
since we use all the degrees of freedom to construct a biclique and may have 
nothing left to impose restrictions on the plaintexts or ciphertexts. 

Nevertheless, we expect this paradigm to benefit from the further develop- 
ment of differential cryptanalysis and the inside-out strategy and predict its 
applicability to many other ciphers. 

Hence, to check 0) the adversary selects an internal variable v € V that can 
be computed as follows for each key group {K[i,j]}\ 


p KM, v K[-,j\ 
£1 £2 


(9) 


Therefore, the computational complexity of matching is upper bounded by 2 d 
computations of the cipher. 



t t 


ciphertext 


Fig. 3. Long-biclique attack with four states and four ciphertexts 


Complexity of Key Recovery. Let us evaluate the full complexity of the 
long-biclique approach. Since the full key recovery is merely the application of 
Steps 1-3 2 n ~ 2d times, we get the following equation: 

Cfull = 2 n “ M [C bicHque + C match + C fa l se p 0a ] , 


where 


— Cbidique is the complexity of constructing a single biclique. Since the 
differential-based method is time-consuming, one has to amortize the con- 
struction cost by selecting a proper set of neutral bytes that do not affect 
the biclique equations. 
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— C match is the complexity of the computation of the internal variable v 2 d 
times in each direction. It is upper bounded by 2 d calls of E. 

— C faisepos is the complexity generated by false positives, which have to be 
matched on other variables. If we match on a single byte, the number of false 
positives is about 2 2d_s . Each requires only a few operations to re-check. 

Generally, the complexity is dominated by C mat ch and hence has an advantage 
of at least 2 d over brute force. The memory complexity depends on the biclique 
construction procedure. 


4.2 Independent-Biclique 

Our second paradigm lets the attacker exploit the diffusion properties rather 
than differential properties, and does not aim to construct the longest biclique. 
In contrast, it proposes to construct shorter bicliques with high dimension by 
tools like independent related-key differentials (Section 13.11 . 

This approach has clear advantages. First, the data complexity can be made 
quite low. Since the biclique area is small, the attacker has more freedom to 
impose constraints on the ciphertext and hence restrict it to a particular set. 
Secondly, the attack gets a compact and small description, since the independent 
trails are generally short and self-explaining. 

For further explanation, we recall the decomposition of the cipher: 


E : 


JP— * 

Si 


V — + 

£2 


S — ► 

s 3 


C, 


In (0 , the adversary detects the right key by computing an intermediate variable 
v in both directions: 


P .£M* 


(10) 


Since the meet-in-the-middle attack is no longer applicable to the £2 ° £ 1 , we 
apply the matching with precomputations (Section 13.31 . 

As with the long-biclique paradigm, 2 2d keys are tested using only 2 d inter- 
mediate cipher states. The precomputation of about 2 d+1 matches allows for a 
significant complexity gain and is the major source of the computational advan- 
tage of our attacks on AES ( Section 13.31 . The advantage comes from the fact 
that in case of high dimension the basic computation has negligible cost, and 
the full complexity is determined by the amount of precomputation. By a care- 
ful choice of key groups, one is able to reduce the precomputation proportion 
to a very small factor, e.g. factor 1/15 in attacks on reduced-round versions of 
AES-256. 


Complexity of Key Recovery. The full complexity of the independent bi- 
clique approach is evaluated as follows: 

Cfuii = 2 n ~ 2d [C hicHque + C precomp + C recomp + C falsepos ] , 


where 


Biclique Cryptanalysis of the Full AES 355 


— Gprecornp is the complexity of the precomputation in Step 3. It is equivalent 
to less than 2 d runs of the subcipher g. 

— Crecomp is the complexity of the recomputation of the internal variable v 2 2d 
times. It strongly depends on the diffusion properties of the cipher. For AES 
this value varies from 2 2d_1 - 5 to 2 2d_4 . 

The biclique construction is quite cheap in this paradigm. The method in Sec- 
tion 13.11 enables construction of a biclique in only 2 d+1 calls of subcipher /. 
Therefore, usually the full key recovery complexity will be dominated by 2 n ~ 2d ■ 
Crecomp ■ However, it is dependent on the width of the matching variable and 
biclique dimension d too. We give more details for the case of AES in further 
sections. The memory complexity of the key recovery is upper-bounded by stor- 
ing 2 d full computations of the cipher. 


5 Description of AES 

AES is a block cipher with 128-bit internal state and 128/192/256-bit key K 
(AES-128, AES-192, AES-256, respectively). The internal state is represented 
by a 4 x 4 byte matrix, and the key is represented by a 4 x 4/4 x 6/4 x 8 matrix. 

The encryption works as follows. The plaintext is xored with the key, and then 
undergoes a sequence of 10/12/14 rounds. Each round consists of four transfor- 
mations: nonlinear bytewise SubBytes, the byte permutation ShiftRows, linear 
transformation MixColumns, and the addition with a subkey AddRoundKey. 
MixColumns is omitted in the last round. 

SubBytes is a nonlinear transformation operating on 8-bit S-boxes with max- 
imum differential probability as low as 2 -6 (for most cases 0 or 2~ 7 ). The 
ShiftRows rotates bytes in row r by r positions to the left. The MixColumns 
is a linear transformation with branch number 5, i.e. in the column equation 
(yo, Vi j 2/2, IJ 3 ) = MC(xq, Xi . X 2 - £3) only 5 and more variables can be non-zero. 

We address two internal states in each round as follows in AES-128: #1 is the 
state before SubBytes in round 1, #2 is the state after MixColumns in round 1, 
#3 is the state before SubBytes in round 2, . . ., #19 is the state before SubBytes 
in round 10, #20 is the state after ShiftRows in round 10 (MixColumns is omitted 
in the last round). The states in the last round of AES-192 are addressed as #23 
and #24, and of AES-256 as #27 and #28. 

The subkeys come out of the key schedule procedure, which slightly dif- 
fers for each version of AES. The key K is expanded to a sequence of keys 
K°, K l , K 2 . . . . , K 10 , which form a 4 x 60 byte array. Then the 128-bit subkeys 
$0, $1, $2, . . . , $14 come out of the sliding window with a 4-column step. The 
keys in the expanded key are formed as follows. First, K° = K. Then, column 

0 of K r is the column 0 of K r ~ 1 xored with the nonlinear function (SK) of 
the last column of K r ~ 1 . Subsequently, column i of K r is the xor of column 

1 — 1 of K r and of column i of K r i . In AES-256 column 3 undergoes SubBytes 
transformation while forming column 4. 

Bytes within a state and a subkey are enumerated as follows 
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Byte i in state Q is addressed as Q,;. 

6 Independent-Biclique: Key Recovery for the Full 

AES-128 

In this section we describe a key recovery method on the full 10-round AES-128 
using the independent-bilcique approach. The computational bottleneck will be 
the matching computation. See also Appendix E] for an additional illustration. 


Table 3. Parameters of the key recovery for the full AES-128 


/ 

Biclique 

Rounds 

Dimension 

A K bytes 

V K bytes 

Time 

Memory 

8-10 

8 

$8 s ,$8i2 

$8i, $89 

2 7 

2 s 

Matching 

g 

Precomputation 

Recomputation 

Rounds 

V 

Workload 

Memory 

SubBytes: forward 

SubBytes: backward 

1-7 

#5i2 

2®- £ 

2 s 

0.875 

2.625 

Total complexity 

Memory 

Cuclitne 

Cprecomp 

Crecomp 

Cf alsepos 

c full 

2 s 

2 7 

2 7 

2 14 14 

2 8 

2126.18 


6.1 Key Partitioning 

For more clarity we define the key groups with respect to the subkey $8 of round 
8 and enumerate the groups of keys by 2 112 base keys. Since the AES-128 key 
schedule bijectively maps each key to $8, the enumeration is well-defined. The 
base keys if [0,0] are all possible 2 112 16-byte values with two bytes fixed to 0 
whereas the remaining 14 bytes run over all values: 


The keys {K[i,j}} in a group are enumerated by all possible byte differences i 
and j with respect to the base key if [0, 0]: 


This yields the partition of the round-8 subkey space, and hence the AES key 
space, into the 2 112 groups of 2 16 keys each. 
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6.2 3- Round Biclique of Dimension 8 

We construct a 3-round biclique from combined related-key differentials as de- 
scribed in Section 13. II The parameters of the key recovery are summarized in 
Table 0 The adversary fixes Co = 0 and derives So = /ic[ 0 , ojCC'o) (Figure 0| left). 
The Zlj-differentials are based on the difference Af in $8, and V 7 -differentials 
are based on the difference Vf in $8: 


and Vf ($8) = 1+^ . 

Both sets of differentials are depicted in Figure 0| in the truncated form. As they 
share no active S-boxes, the resulting combined differentials yield a biclique of 
dimension 8. 

Since the A-differential affects only 12 bytes of the ciphertext, all the cipher- 
texts share the same values in bytes Co, 1,4, 13. Furthermore, since <4f"($10io) = 
Zif($10i 4 ), the ciphertext bytes C10 and C14 are also always equal. As a result, 
the data complexity does not exceed 2 88 . 



base 

computation 


A, -differentials 


Vj- differentials 



and V ./-differentials 
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Fig. 5. Recomputation in the backward direction: AES-128 


Forward computation. Now we figure out how the computation Pj — ~v 
differs from the stored one Pj Similarly i s determined by the 

influence of the difference between keys K[i, j\ and K[i, 0], now applied to the 
plaintext. Thanks to the low diffusion of the AES key schedule and sparsity of 
the key difference in round 8, the whitening subkeys of K[i,j] and K[i, 0] differ 
in 9 bytes only. The difference is no longer a linear function of j as it is in the 
computation of V, but still requires only three s-boxes in the key schedule to 
recompute. The areas of internal states to be recomputed (with 13 S-boxes) are 
depicted in Figure 0 


6.3 Matching over 7 Rounds 

Now we check whether the secret key K secret belongs to the key group {K[i,j]} 
according to Section EPI We make 2 d+1 precomputations of v and store values 
as well as the intermediate states and subkeys in memory. Then we check (1TT1 
for every i, j by recomputing only those variables that differ from the ones stored 
in memory. Now we evaluate the amount of recomputation in both directions. 

Backward direction. Let us figure out how the computation V Sj differs 

from the stored one *Vj Sj. It is determined by the influence of the 

difference between keys K[i, j] and K[0,j] (see the definition of the key group in 
Section lb. II) . The difference in the subkey $7 is non-zero in only one byte, so we 
have to recompute as few as four S-boxes in round 7 (state #13). The full area 
to be recomputed, which includes 41 S-boxes, is depicted in Figure 0 Note that 
the difference in the relevant subkeys is a linear function of i, and hence can be 
precomputed and stored. 

Forward computation. Now we look at how the computation Pj differs 

from the stored one Pj — — ^ ~v i . Similarly, it is determined by the influence 
of the difference between keys K[i. j] and K[i, 0], now applied to the plaintext. 
Thanks to the low diffusion of the AES key schedule and sparsity of the key 
difference in round 8, the whitening subkeys of K[i,j ] and K[i. 0] differ in 9 
bytes only. The difference is no longer a linear function of j as it is involved into 
the computation of V, but still requires only three S-boxes in the key schedule 
to recompute. This effect and the areas of internal states to be recomputed (with 
13 S-boxes) are depicted in Figure 0 
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Fig. 6. Recomputation in the forward direction: AES-128 


6.4 Complexities 

Since only a portion of the round function is recomputed, one has to be highly 
accurate in evaluating the complexity C recornp . A rough division of AES- 128 
into 10 rounds is not precise enough. For a more exact evaluation, we count the 
number of S-boxes in each SubBytes operation that we have to recompute, the 
number of active variables in MixColumns, the number of output variables that 
we need from MixColumns, and, finally, the number of S-boxes to recompute in 
the key schedule. 

Altogether, we need an equivalent of 3.4375 SubBytes operations (i.e., 55 S- 
boxes), 2.3125 MixColumns operations, and a negligible amount of XORs in the 
key schedule. The number of SubBytes computations clearly is a larger sum- 
mand. S-boxes are also the major contributor to the practical complexity of 
AES both in hardware and software. Therefore, if we aim for a single number 
that refers to the complexity, it makes sense to count the number of SubBytes 
operations that we need and compare it to that in the full cipher. The latter 
number is 10 + 2.5 = 12.5 as we have to take the key schedule nonlinearity into 
account. As a result, C recomp is equivalent to 2 16 • 3.4375/12.5 = 2 14 14 runs of 
the full AES-128. The values Cbidique and C precomp together do not exceed 2 8 
calls of the full AES-128. 

The full computational complexity amounts to about 
2 m ( 2 7 + 2 7 + 2 14 ' 14 + 2 8 ) = 2 126 ' 18 . 

The memory requirement is upper-bounded by the storage of 2 8 full computa- 
tions of g. Since the coverage of the key space by groups around base keys is 
complete, the success probability is 1. 

This approach for 8-round AES-128 yields a key recovery with computational 
complexity about 2 125 ' 34 , data complexity 2 88 , memory complexity 2 8 , and suc- 
cess probability X. Similarly, preimage finding for the compression function of the 
full AES-128 in Miyaguchi-Preneel mode requires about 2 125 - 83 computations, 
2 8 memory, and has a success probability of about 0.6321. 

7 Long-Biclique: 9-Round AES-256 

Our attack is differential-based biclique attack (Section 13. 2B . 
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Step 1 . A biclique of dimension 1 involves two states, two ciphertexts, and 
a group of four keys. The keys in the group are defined via the difference in 
subkeys: 


K[ 0, 1] : $5(AT [0, 1]) © $5(AT[0, 0]) = AK; 

K[ 1, 0] : $6(AT[1, 0]) 0 $6(AT[0, 0]) = VAT; 

K[ 1, 1] : $6(AT[1, 1]) 0 $6(AT[0, 1]) = VAT. 

The differences AK and VK are defined columnwise: 


AK= (A, 0,0,0); 


VAT= (B,B,0,0), 


where 


A = MixColumns 



= MixColumns 



Let us note that the key relation in the next expanded key is still linear: 


$4(A'[1, 0]) © $4(Af[0, 0]) = $4(tf[l, lj) 0 $4(Af[0, 1]) = (B, 0, 0, 0). 


Evidently, the groups do not intersect and cover the full key space. We split the 
9-round AES-256 as follows: 


— £\ is round 1. 

— £2 is rounds 2-4. 

— S 3 is rounds 5-9. 


Step 2. An illustration of steps 2(a) - 2(e) is given in Fig. d 

Step 2 (a). The intermediate state T in £3 is the S-box layer in round 7. We 
construct truncated differential trails in rounds 5-6 based on the injection of AK 
after round 5 (Figured left), and in rounds 7-9 based on the injection of VAT 
before round 9 (Figured right). 

Step 2 (b). We guess the differences in the truncated trails up to T. We have 
four active S-boxes in round 6 and two active S-boxes in round 8. We also require 
A-trails to be equal. In total we make 2 7 d 4 + 2 - 2 ) = 2 56 guesses. 

Step 2 (c) . For each S-box in round 7 that is active in both trails (eight in total) 
we take a quartet of values that conform to the input and output differences, 
being essentially the boomerang quartet for the S-box (one solution per S-box 
on average). For the remaining 8 S-boxes we take all possible values. Therefore, 
we have 2 64 solutions for each guess in the inbound phase, or 2 120 solutions in 
total. 
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Fig. 7. Biclique construction in AES-256. /1-trail (left) and V-trail (right). 


Step 2 (d). Outbound phase: we filter out the solutions that do not conform 
to the differential trails in rounds 6 and 8. We have four active S-boxes in each 
/4-trail, and two active S-boxes in each V-trail, hence 12 in total. Therefore, we 
get a 84-bit filter, and leave with 2 36 bicliques. 


Step 2 (e). Now we keep only the bicliques with byte (7o,o equal to zero in both 
ciphertexts. This is a 16-bit filter, which reduces the number of bicliques to 2 20 . 
We need only one. 


Step 3-5. We ask for the decryption of two ciphertexts and get two plaintexts. 
The matching position (u) is the byte #3o,o- As demonstrated in Fig. 0 it is 
equal as a function of the plaintext for keys with difference AK (not affected by 
light blue cells), and is also equal as a function of S for keys with difference VK 
(not affected by red cells). We compute v in both directions and check for the 
match. 
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Step 6. We can produce sufficiently many bicliques out of one to amortize the 
construction cost. Let us look at the subkey $6 in the outbound phase. We can 
change its value to any of the 2 96 specific values so that the active S-boxes in 
round 6 during the outbound phase are not affected. On the other hand, any 
change in bytes in rows 1,2,3 affects only those rows in the subkeys $8 and $9 
and hence does not affect Co,o- Therefore, we have 128 — 32 — 32 = 64 neutral 
bits in $6. 

Similarly, we identify 9 bytes in $7 that can be changed so that $6, the active 
S-boxes in round 8, and the byte Cd.q are unaffected. Those are bytes in the first 
three columns not on the main diagonal. Therefore, we have 72 neutral bits in 
$7, and 136 neutral bits in total. 

Complexity. A single biclique with Co,o = 0 is constructed with complexity 
2120-20 _ 2100 anf ] 2 8 memory needed for Step 2 (c). However, 136 neutral bits in 
the key reduce the amortized construction cost significantly. Let us compute the 
cost of constructing a new biclique according to Step 6. A change in a single byte 
in K 7 needs 5 S-boxes, 1 MC and several XORs recomputing for each ciphertext, 
which gives us the complexity of 10/16 AES rounds. This change also affects two 
bytes of K 5 , so we have to recompute one half of round 5, with the resulting 
complexity of 1 AES round per biclique. The total amortized complexity is 1.625 
AES rounds. 

In the matching part we compute a single byte in two directions, thus spending 
9/16 of a round in rounds 1-3, and full round 4, i.e. 3.125 full rounds per biclique. 
In total we need 4.75 AES rounds per biclique, i.e. 2 -0 - 92 9-round AES-256 calls. 
The complexity generated by false positives is at most 2 -6 rounds per biclique. 
We need 2 254 bicliques, so the total complexity is 2 253 1 . 

The data complexity is 2 120 since one ciphertext byte is always fixed. The 
success rate of the attack is 1, since we can generate many bicliques for each key 
group. 

8 On Practical Verification 

Especially for the type of cryptanalysis described in this paper where carrying 
out an attack in full is computationally infeasible, practical verification of attack 
details and steps is important in order to get confidence in it. To address this, 
we explicitly state the following: 

- We verified all truncated differentials through AES-128/192/256 for all the 
attacks, including the independent bicliques. 

- We constructed a real 6-round biclique for the 9-round AES-256 (Table 0 • 
To make the algorithm in Section 0 practical, we fixed more key bytes than 
required. As a result, the construction cost for a single biclique dropped, but 
the amortized cost has increased. 

- We verified that some difference guesses must be equal (like in the AES-256 
attack) due to the branch number of MixColumns that results in a correlation 
of differences in the outbound phase. 
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Fig. 8. Matching in AES-256. Byte #3o can be computed in each direction. 


9 Discussion and Conclusions 

We propose the concept of bicliques for block cipher cryptanalysis and give 
various applications to AES, including a key recovery method for the full ver- 
sions of AES-128, AES-192, and AES-256. Both the “long-biclique” and the 
“independent-biclique” approach we introduced feature conceptual novelties that 
we expect will find applications in other areas. For the “long-biclique” approach, 
it is the use of techniques from differential collision attacks on hash functions 
that forces two trails to be independent and hence allows to add more rounds at 
low amortized cost. For the “independent-biclique” approach, it is the matching 
with precomputation trick that allows to significantly reduce the cost of matching 
computations over more rounds in a MITM attack. 

Using the latter approach on AES, we allow a small portion of the cipher 
to ie recomputed in every key test. The use of bicliques in combination with 
the technique of matching with precomputation, results in a surprisingly low 
recomputation in the innermost loop, varying from about 1 /3 to approximately 
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1/5 of the cipher depending on the key size, while having data complexities 
of 2 88 , 2 80 and 2 40 plaintext-ciphertext pairs, respectively. Arguably no known 
generic approach to key recovery allows for that gain. We notice that the data 
complexity of key recovery can be significantly reduced by sacrificing only a 
small factor of computational advantage. 

To conclude, we discuss the properties of AES that allowed us to cover more 
rounds than in previous cryptanalysis, discuss the attained computational ad- 
vantage, and list a number of problems to consider for future work. 

9.1 What Properties of the AES Allowed to Obtain These New 
Results 

Our approach heavily relies on the existence of high-probability related-key dif- 
ferentials over a part of the cipher. More specifically: 

— The round transformation of AES is not designed to have strong resistance 
against several classes of attacks for a smaller number of rounds. The fact 
that our approach allows to split up the cipher into three parts exposes these 
properties even when considering the full cipher. Also, as already observed 
in j2U Ha], the fact that the MixColumns transformation is omitted in the 
last round of AES helps to design attacks for more rounds. 

— In the key schedule, we especially take advantage of the relatively slow back- 
ward diffusion. Whereas using key-schedule properties in related-key attacks 
is natural, there seem only a few examples in the literature where this is used 
in the arguably more relevant single-key setting. This includes the attack on 
the self-synchronized stream cipher Moustique |20] , the lightweight block ci- 
pher KTANTAN m , and recent improvements upon attacks on 8-rounds of 
AES-192 and AES-256 0. 

9.2 On the Computational Advantage of the Biclique Techniques 

Most computational complexities in this paper are relatively close to those of 
generic attacks. In here we discuss why we think the complexity advantage is 
meaningful. 

— Biclique cryptanalysis with the independent-biclique approach allows us to 
be very precise about the required computations. In all cases we arrive at 
computational complexities considerably lower than those of generic attacks. 

— For long-biclique cryptanalysis, whenever it is difficult to be precise about 
certain parts of our estimates, we choose to be conservative, potentially 
resulting in an underestimate of the claimed improvement. Again, in all 
cases we arrive at a computational complexity that is considerably lower 
than that of generic attacks. 

— Improved AES implementations (that may e.g. be used to speed-up brute 
force key search) will very likely also improve the biclique techniques we 
propose. 

— To the best of our knowledge, there are no generic methods known that 
would speed-up key recovery given a part of the codebook. 
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9.3 Open Problems 

There are a number of other settings this approach may be applied to. It will 
be interesting to study other block ciphers like the AES finalists or more recent 
proposals with respect to this class of attacks. A combination of the “long- 
biclique” and “independent-biclique” approaches may be a source for further 
improvements. Also, we may decide to drop the requirement of the biclique to 
be complete, i.e. instead of a complete bipartite graph consider a more general 
graph. There may be cases where different tradeoffs between success probability, 
complexity requirements, and even number of rounds are obtainable. Alterna- 
tively, this paper may inspire work on more generic attacks on block ciphers 
that try to take advantage of the fact that a small part of the codebook, or some 
memory, is available. 
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A Additional Illustration for the Case of Full AES-128 

In Figure El we give an additional illustration of key recovery for the full AES- 
128 described in Sect ion El It demonstrates biclique differentials, influence of key 
differences in matching, and the recomputations. 

The influence of key differences in the matching part can be described as a 
truncated differential that starts with a zero difference in the plaintext (forward 
matching) or in the state (backward matching). Since both biclique and matching 
result from the same key differences, it is natural to depict the related differen- 
tials in the same computational flow (left and center schemes in Figure El)- We 
stress that the full 10-round picture does not represent a single differential trail, 
but it is rather a concatenation of trails in rounds 1-7 and 8-10, respectively. 

The biclique differentials are depicted in pink (left, A-trail) and lightblue 
(center, V-trail) colors. The same for the matching: pink is the influence of 
AK on the backward computation, and lightblue is the influence of VK on the 
forward computation. The recomputation parts are derived as follows: formally 
overlap pink and blue schemes, then interleaving parts must be recomputed 
(darkgray cells). The lightgray cells are those excluded from recomputation since 
we do not match on the full state. 
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Fig. 9. Biclique differentials and matching in AES-128 
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Table 4. Summary of previous results on AES in the single-secret-key model for 7 or 
more rounds 


rounds 

data 

workload 

memory 

method 

reference 

AES-128 j 

7 

2127.997 

2 120 


Square 

[25], 2000 

7 

2 32 

2 128-e 

2 100 

Square- functional 

[26], 2000 

7 

2 117,5 

2 123 

2 109 

Impossible 

[3], 2007 

7 

2 115.5 

2 119 

2 45 

Impossible 

[50], 2007 

7 

2 115.5 

2 119 

2 109 

Impossible 

[4], 2008 

7 

2 112.2 

2 112 + 2 1172 MA 

2 109 ? 

Impossible 

[34] 2008 

7 

2 8° 

2 il3 +2 i23 precomp. 

2 122 

MitM 

[20], 2009 

7 

2 106.2 

2 107 ' 1 + 2 117 ' 2 MA 

2 94 ' 2 

Impossible 

[36], 2010 

7 

2 103 

2 116 

2 116 

Square-multiset 

[22], 2010 

AES-192 '] 

7 

2127.997 



Square 

[25], 2000 

7 

2 36 

2 155 

2 32 

Square 

[25], 2000 

7 

2 32 

2 182 

2 32 

Square 

[35], 2000 

7 

2 32 

2 140 

2 84 

Square- functional 

[26], 2000 

7 

2 92 

2 186 

2 153 

Impossible 

[40], 2004 

7 

2 11S.S 

2 119 

2 45 

Impossible 

[50], 2007 

7 

2 92 

2 162 

2 1S3 

Impossible 

[50], 2007 

7 

2 91 ' 2 

2 139.2 

2 61 

Impossible 

[34] 2008 

7 

2 113.8 

2 118 ' 8 MA 

2 89.2 

Impossible 

[34] 2008 

7 

2 34+n 

2 M+n_|_ 2 2UB-n precom p 

2 206-« 

MitM 

[19], 2008 

7 

2 8° 

2 il3 +2 i23 precomp. 

2 122 

MitM 

[20], 2009 

7 

2 103 

2 116 

2 116 

Square-multiset 

[22], 2010 

8 

2 127.997 

2188 

2 64 

Square 

[25], 2000 

8 

2 113 

2 172 

2 129 

Square- multiset 

[22], 2010 

AES-256 1 

7 

2 36 

2 172 

2 32 

Square 

[25], 2000 

7 

2 127.997 

2 120 

2 64 

Square 

[25], 2000 

7 

2 32 

2 200 

2 32 

Square 

[35], 2000 

7 

2 32 

2 184 

2 140 

Square-functional 

[26], 2000 

7 

2 92.5 

2 250.5 

2 1S3 

Impossible 

[40], 2004 

7 

2 11S.5 

2 119 

2 45 

Impossible 

[50], 2007 

7 

2 113.8 

2 118 ' 8 MA 

2 89.2 

Impossible 

[34] 2008 

7 

2 92 

2 163 MA 

2 61 

Impossible 

[34] 2008 

7 

2 34+n 

2 74+» +2 208-n precomp _ 

2 206-n 

MitM 

[19], 2008 

7 

2 80 

2 il3 +2 i23 precomp. 

2 122 

MitM 

[20], 2009 

8 

2 127.997 

2 204 

2 1044 

Square 

[25], 2000 

8 

2 116.5 

2 247.5 

2 45 

Impossible 

[50], 2007 

8 

2 89 1 

2 229 - 7 MA 

2 97 

Impossible 

[34] 2008 

8 

2 111 ' 1 

2 227 - 8 MA 

2 112 1 

Impossible 

[34] 2008 

8 

2 34+n 

2 202+n +2 208-n precomp . 

2 206-n 

MitM 

[19], 2008 

8 

2 8° 

2 241 

2 123 

MitM 

[20], 2009 

8 

2 113 

2 196 

2 129 

Square- multiset 

[22], 2010 
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Table 5. Summary of previous results on AES in hash-mode use, i.e. distinguishers in 
chosen and known-key models, or preimage or collision attacks 


rounds 

versions 

type/mode 

attack/gen. 

memory 

method 

reference 

7 

all 

known-key dist. 

2 56 /2 58 ? 

- 

Square 

[32], 2007 

7 

all 

chosen-key dist. 

2 24 /2 64 

2 16 

Rebound 

[38], 2009 

8 

all 

chosen-key dist. 

2 48 /2 64 

2 32 

Rebound 

[27, 33], 2009 

14 

256 

chosen-key dist. 

2 69 /2 77 

- 

Boom-g 

[10], 2009 

6 

all 

collision /MMO+MP 

2 56 /2 64 

2 32 

Rebound 

[33], 2009 

7 

all 

near-coll./MMO 

2 32 /2 48 

2 32 

Rebound 

[33], 2009 

7 

all 

preimage/DM 

2 120/ 2 128 

2 s 

Splice&Cut 

[42], 2011 

7 

all 

2nd-pre. /MMO+MP 

2 12°/ 2 128 

2 s 

Splice&Cut 

[42], 2011 


Table 6. Example of a bichque for 9-round AES-256. Si are states after MixColumns 
in round 5, Ci are ciphertexts. 


So 

Si 

Co 

Ci 

40 8a ba 52 
30 4a 10 52 
34 b6 84 52 
b8 fe aa 52 

44 d2 66 7b 
32 34 6e f7 
36 f4 bO 7a 
b8 ba 71 3a 

79 18 cO 8e 
67 ac 89 9e 
2e 39 52 84 
3c fd 40 26 

5d 08 b5 ac 
e5 bd d3 54 
aO ac d9 8a 

09 6a 55 le 

K[0, 0] : $6, $7 


K[ 0, 1] 

: $6, $7 

7d 8a d8 a4 30 e8 0 0 
12 a8 f9 31 5a 42 0 0 
12 55 cd 0b 32 d6 0 0 
58 66 d8 cf 54 f8 0 0 

7d 8a d8 a4 34 ec 4 4 
12 a8 f9 31 58 40 2 2 
12 55 cd 0b 30 d4 2 2 
58 66 d8 cf 52 fe 6 6 

K[l, 0] : $6, $7 

K[ 1,1] : $6, $7 

7d 8a d8 a4 30 e8 0 0 
10 aa f9 31 5a 42 0 0 
ab ec cd 0b 32 d6 0 0 
5a 64 d8 cf 54 f8 0 0 

7d 8a d8 a4 34 ec 4 4 
10 aa f9 31 58 40 2 2 
ab ec cd 0b 30 d4 2 2 
5a 64 d8 cf 52 fe 6 6 
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Abstract. We analyze the security of the TLS Record Protocol, a MAC- 
then-Encode-then-Encrypt (MEE) scheme whose design targets confi- 
dentiality and integrity for application layer communications on the 
Internet. Our main results are twofold. First, we give a new distinguishing 
attack against TLS when variable length padding and short (truncated) 
MACs are used. This combination will arise when standardized TLS 1.2 
extensions (RFC 6066) are implemented. Second, we show that when 
tags are longer, the TLS Record Protocol meets a new length-hiding au- 
thenticated encryption security notion that is stronger than IND-CCA. 


1 Introduction 

TLS is perhaps the Internet’s most widely used security protocol. At its heart 
lies a sub-protocol for integrity-protecting and encrypting data, called the TLS 
Record Protocol. The current version of this protocol, TLS 1.2, is specified in 0, 
though earlier versions 00 are still in widespread use. At a high level, the 
TLS Record Protocol makes use of a MAC-then-Encode-then-Encrypt (MEE) 
construction, where the “Encode” step takes care of any padding that might be 
needed prior to the encryption step. For reasons that will become clear, we focus 
on MEE when used with CBC mode. 

In this case, TLS 1.2 works as follows to protect a message M whose bit-length 
m = \M\ must be a multiple of eight. Let n be the block size of the block cipher 
underlying CBC. Then, one chooses a fresh n-bit IV to use with CBC mode to 
encrypt the bit string M\\T\\P ■■ - p+ i P. Here T is a r-bit message authentication 
tag produced by running HMAC over M and some header information including 
a sequence number and P • • -p+i P is the bit string formed by concatenating 
together p + 1 copies of the string P. The value P is the byte-encoding of the 
number p, which indicates the number of padding bytes. It is required that 
t = m + T+8('p+ l) be a multiple of n. We refer to this scheme as MEE-TLS-CBC. 
A common instantiation uses AES and HMAC-SHA1, making n = 128 and 
t = 160. 

Implementations can choose p in different ways. One is to use minimal-length 
padding by letting p > 0 to be the smallest possible value that results in £ being 
a multiple of n. Another is to use larger values of p in order to generate extra 
padding. GnuTLS 0 , for example, randomly selects p from the set of possible 
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MAC 

Encoding 

Security target j 

BN00 [3] 

SUF-CMA 

Concatenation 

IND-CPA + PTXT 

KOI [15] 

SUF-CMA 

Concatenation, tag fills one block 

IND-CPA + CUF-CPA 

KOI* 

SUF-CMA 

Concatenation, tag fills one block 

IND-CPA + CTXT 

MT10 [18] 

SUF-CMA 

Any function 

Secure channel 

This work 

PRF 

TLS’s padding, m + r > n - 8 

LHAE 


Fig. 1. Summary of positive results known about MEE under various assumptions 
about the MAC. The restriction on padding of our result involves the message length m, 
tag length r, and block length n. Our attack shows the necessity of this restriction for 
security. 


values. As indicated in the TLS specification, the intent is to combat traffic 
analysis attacks that exploit plaintext message lengths 000-0 

This paper. We provide the first analysis of the security of MEE-TLS-CBC as 
an authenticated encryption (AE) scheme. We start by strengthening traditional 
AE notions @0 to cover the goal of hiding plaintext lengths that motivates 
the use of extra padding. Using our new length-hiding AE (LHAE) notion, we 
provide complementary negative and positive results about MEE-TLS-CBC for 
general m, r, and n. When m + r < n — 8 and extra padding is used, we give an 
attack that allows a man-in-the-middle to readily distinguish between messages 
of different lengths. A variant of this attack rules out proving traditional AE 
security as well. On the other hand, we show that when m + r > n — 8 one 
provably achieves LHAE security. This positive result holds for a generalization 
of TLS encoding; it may be applicable in other settings where MEE is used with 
CBC. 

In the current TLS standard 0 , the allowed primitives are such that n < 128 
and t > 160. Here the attack does not apply and our positive results pro- 
vide strong evidence of security. More worrisome is the use of truncated MACs, 
where r = 80 and the attack would apply. Truncated MACs are used widely in 
other protocols (e.g., IPSec 0 ) and are standardized as a TLS extension in 
RFC 6066 0 - 

Prior work on MEE. Before describing our results in a bit more detail, we 
briefly summarize the literature as it applies to MEE-TLS-CBC — see Figure [D 
Bellare and Namprempre (BN00) 0] introduced two notions of integrity: in- 
tegrity of plaintexts (PTXT) and of ciphertexts (CTXT). They showed that 
MEE with any invertible encoding step is IND-CPA and has integrity of plain- 
texts (PTXT) assuming the mac is strongly unforgeable (SUF-CMA), but argue 
that PTXT is insufficient for applications because one should target CTXT. 
Meeting both IND-CPA and CTXT is one of several equivalent formulations for 
AE security 0- „ 

Krawczyk (KOI) 0 analyzed a variant of MEE-TLS-CBC in which m must be 
a multiple of n, the tag length is r = n, and no padding is used. He showed that 
this variant — which does not arise in TLS — achieves a notion of integrity he calls 
CUF-CPA. This is weaker than CTXT, though a straightforward extension of 
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KOl’s techniques prove that this variant is both IND-CPA and CTXT secure; we 
list this as KOI* in Figure Q] While we will build on the techniques underlying 
these results, the fact that they ignore padding makes them of limited direct 
relevance to TLS security. Indeed, as the attacks in j§, |2§] , discussed further 
below, indicate, the way padding is handled is crucial to the (in) security of 
MEE-TLS-CBC. 

Maurer and Tackmann (MT10) 0 considered MEE with encoding steps 
being any function, thus restricting attention to minimum-length padding only. 
They provide a secure channel notion formalized within a new constructive cryp- 
tography framework, but the details of this framework (at the time of our writ- 
ing) have not yet emerged, making comparison with our results for minimum- 
length padding TLS premature. Our approach uses a more traditional game- 
based treatment. 

As it stands, none of the prior works analyze the AE security of the version 
of MEE-TLS-CBC used within the standard nor do they treat the length-hiding 
goal of extra padding. 

Length-hiding encryption. Our technical results begin by generalizing en- 
cryption to consider the length-hiding goal targeted by TLS. The explicitly 
stated intent is that applications should be able to hide the length of plaintexts 
up to some granularity. As mentioned above, the GnuTLS client 0 attempts 
to obfuscate plaintext length patterns by selecting the amount of padding for 
each message randomly. This means that for a given message length, the appli- 
cation may vary the amount of padding used. Standard-compliant decryption 
implementations must support ciphertexts including such extra padding. 

This choice was perhaps prescient: attacks taking advantage of leaked plain- 
text lengths allow inferring web browsing habits [ljj, [2j], |2g] and voice-over-IP 
conversations mu . Note that even when only minimal-length padding is used, 
MEE-TLS-CBC nevertheless seemingly should hide lengths that are padded to the 
same multiple of n. Given jlfl I2ll. l2iM2fi| . MEE-TLS-CBC seems to have a small 
security advantage over MEE using OTP — the latter always leaks precise plain- 
text lengths. Traditional security notions that explicitly allow message lengths 
to leak (e.g., IND-CPA, IND-CCA) are too weak to surface this distinction. 

To treat MEE-TLS-CBC in its full generality, then, we formalize length-hiding 
encryption. We extend the usual syntax of authenticated encryption scheme with 
associated data (AEAD) to allow the encryption algorithm to take an extra 
ciphertext-length parameter, in addition to the usual key, header, and message. 
This allows the user to indicate the desired length of ciphertext. 

We correspondingly upgrade the traditional security notions, which do not 
capture length hiding, and introduce a length-hiding authenticated encryption 
(LHAE) security notion. Our all-in-one definition gives an attacker access to 
a left-or-right encryption oracle on pairs of chosen messages M 0 , Mi of arbi- 
trary lengths and a chosen ciphertext-length. As usual, the attacker’s job is 
to output its guess for a hidden bit b. The LHAE definition captures length 
hiding in settings where applications may adaptively vary padding per message 


Tag Size Does Matter: Attacks and Proofs for the TLS Record Protocol 375 


(such as GnuTLS). Of course, a special case of our security notion is arrived at by 
restricting to same-length messages: this corresponds to a left-or-right indistin- 
guishability variant of the all-in-one AE notion of Rogaway and Shrimpton Im- 
proving LHAE security therefore establishes AE security as a special case. 

New attacks against MEE-TLS-CBC. Our work brings to light interesting 
new attacks against TLS. Consider MEE-TLS-CBC with when m + t < n — 8. 
This means that a complete message M (of m bits), a tag, and at least one 
padding byte can fit into a single CBC block of size n. Then an attacker, given 
an encryption C of a message M that is created using longer-then-minimum 
padding, is able to create another encryption C' of the same message M ; we call 
this a decryption collision Q This immediately violates the ciphertext integrity 
(CTXT) of MEE-TLS-CBC, thereby ruling out AE or LHAE security, and can 
easily be extended to build an IND-CCA distinguisher as well. 

It may seem that this deficiency is not dangerous. After all it just shows 
that an attacker can generate a new ciphertext that decrypts to an already 
legitimately encrypted message, and this does not threaten the security of TLS 
as a secure channel protocol. Indeed, some formulations of channel security @- 
H, including that of 0> explicitly exclude decryption collisions from being 
considered as an insecurity. Nevertheless, it rules out meeting the AE security 
notion targeted, and met, by other designs. 

What’s more, decryption collisions prove obviously damaging in the length- 
hiding setting. We will show that they can be used to allow an attacker to 
distinguish between encryptions of messages of different lengths, for example 
“YES” and “NO”. This defeats the TLS design intention of hiding plaintext 
lengths at this level of granularity. The distinguishing attack would be simple to 
mount in practice by a man-in-the-middle. 

TLS 1.2 (and older versions) specifies n € {64, 128} (DES, AES) and r > 160 
(HMAC-SHAx), so this attack does not affect the security of TLS as specified 
in version 1.2. However 80-bit truncated MACs are explicitly defined for use 
in extensions to TLS 1.2 0 - Our attack would therefore apply to TLS using 
CBC- AES with these truncated MACs and extra padding. We are unaware of 
any current implementations that are vulnerable, but this will change if, for 
example, GnuTLS implemented the TLS 1.2 truncated MAC extension. 

LHAE security of MEE-TLS-CBC. Now the good news. We complement our 
negative results by proving LHAE security for MEE-TLS-CBC exactly when the 
above attacks do not work: when m + r > n — 8 or no extra padding is used. The 
analysis is involved, as one may expect given the sharp divide between security 
and insecurity. Let us look at it from a high-level. 

The natural starting point for our analysis is the KOI* result for concatena- 
tion encoding, r = n, block-aligned tags, and no padding. Here one splits the 
task of proving authenticated encryption security into two key steps (leveraging 


The terminology from would call this a replay. We reserve replay for the more 
traditional security goal of not accepting the same message twice, even if derived 
from the same ciphertext. Achieving replay resistance requires stateful decryption. 


376 K.G. Paterson, T. Ristenpart, and T. Shrimpton 

techniques from showing separately IND-CPA and CTXT security. IND- 
CPA security is immediate from the IND-CPA security of CBC mode. A general 
result gives that many-query CTXT is implied by (u times the advantage of 
single-query CTXT where q c i is the number of decryption queries. So what re- 
mains is showing single-query CTXT. The KOI* analysis applies the security 
of the block cipher as a strong PRP to move to a setting in which the adver- 
sary learns nothing about MAC tags from encryption queries and, moreover, for 
its single decryption query submits a ciphertext consisting of blocks that were 
output during encryption. The proof concludes via a case analysis partitioned 
according to which ciphertext blocks are used and how they relate to where tags 
were located within the encryption queries. The alignment of tags with block 
boundaries eases this analysis, but it is still relatively involved. 

Several new difficulties arise in applying this approach to MEE-TLS-CBC. 
Foremost of these is that the case analysis becomes significantly more complex, 
as tags may (for example) span multiple blocks and variable-length padding is 
allowed. Also the KOI* approach only provides a loose bound, approximately 
2"/ 3 , because it proves single-query CTXT and then uses a general hybrid argu- 
ment to conclude multi-query CTXT. Finally, none of the general results apply 
to length-hiding encryption. The last issue is the easiest to handle, and in the 
full version we show that length-hiding IND-CPA and CTXT together imply 
LHAE. The other issues prove more troublesome. We therefore first simplify our 
task by introducing a new security notion that will enable further modularity. 

Collision-resistant decryption security. Recall that our attack above 
found decryption collisions: the adversary computed a new ciphertext that de- 
crypts to a previously encrypted message. We formalize resistance to such attacks 
and call the resulting notion collision-resistant decryption (CRD). It turns out 
that CRD exactly characterizes the gap between CTXT and PTXT: we prove 
that a scheme is CTXT if and only if it is both PTXT and CRD. 

With this new characterization of CTXT in hand, we proceed as follows. We 
show (in the full version) that MEE is length-hiding IND-CPA secure and PTXT 
secure. Both of these results follow straightforwardly from the techniques of 0]. 
Thus to show LHAE of MEE-TLS-CBC reduces to proving CRD security. Here 
we still have technical hurdles, including the fact that we must directly analyze 
multi-query CRD, deal with arbitrary tag locations and sizes, and account for 
variable length padding. What’s more, we must observe precise requirements on 
tag and message lengths to avoid our attacks. To make this task slightly easier, 
we assume that the MAC is a secure PRF. While this is a stronger assumption 
than SUF-CMA, the MAC used by TLS is HMAC, which must be a good PRF 
in other parts of the TLS protocol. 

Stateful LHAE. In fact the TLS record protocol uses both stateful encryption 
and stateful decryption, enabling replay resistance. We handle this, too. In the 
full version we formalize a stateful LHAE notion (generalizing a definition of 0) 
and show that one can easily lift all our results to the stateful setting. 
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Prior versions of TLS. We have concentrated on the TLS 1.2 standard, 
though all our results apply to TLS 1.1 as well. TLS 1.0 differs in two key ways, 
changing the applicability of our results. First, standard-compliant implemen- 
tations of TLS 1.0 allowed an attacker to distinguish between decoding failures 
(arising from incorrectly formatted padding) and authentication failures (aris- 
ing from MAC verification failures) . It was shown in jjj how this difference 
could be exploited to decrypt ciphertexts in the OpenSSL implementation of 
TLS. Consequently, the TLS 1.1 and 1.2 specifications mandate that implemen- 
tations prevent such attacks by enforcing uniform error reporting (both in terms 
of timing and the actual message returned). Our positive results are in this uni- 
form error reporting model and don’t necessarily apply when non-uniform error 
reporting is in effect. 

The second difference is that in TLS 1.0 CBC mode used chained IVs, meaning 
that the IV used to encrypt a message is set to the last ciphertext block from 
the previously sent ciphertext. As reported in 0 . Rogaway and Dai found 
distinguishing attacks that exploit chained IVs, and so in TLS 1.1 and beyond, 
dedicated IVs are required. Our attacks and proof only apply when dedicated 
IVs are used as in TLS 1.1 and 1.2. 

Recap and discussion. Putting together all our results, we see that the ex- 
act nature of encoding in MEE must be carefully considered when analysing 
protocols based upon it. Our attacks and positive results characterize the pa- 
rameters under which MEE-TLS-CBC falls to (at least) distinguishing attacks 
and those under which we can have significantly better confidence in security 
via our proofs. To recap, tag size matters: too small and security fails, large 
enough and LHAE security can be proved. 

We are in contact with those involved in TLS standardization, and hope that 
vulnerabilities in future versions can be avoided. There are several ways to protect 
TLS from these problems. For example, one could include the padding length in 
the MAC scope. Our attacks would no longer work and, in fact, one should be able 
to prove LHAE security. The best solution is to stop using using MEE-based en- 
cryption within TLS (and elsewhere). Instead, one could use Encrypt- then-MAC 
or one of the dedicated AE schemes. We note that our LHAE notion is interest- 
ing for these as well, allowing one to show, for example, that Encrypt-then-MAC 
achieves some degree of length hiding in the case where one uses CBC. 

2 Notation, Syntax and Basic Security Notions 

Notation. When X is a set, we write X <— * X to mean that a element (named X) 
is uniformly sampled from X. We overload the notation for probabilistic or state- 
ful algorithms, writing X <— * M to mean that algorithm M rims and outputs 
value named X. The set {0, 1}-" contains all bitstrings of length at most n bits, 
and as usual {0, 1}* is the set of all finite length strings. When X and Y are 
strings, we write X\\Y for their concatenation. When X G {0, 1}* we write \X\ for 
its length. For a tuple of strings ( X \ , X ^ , . . . , Xf,) we define | ( Xi , X ^ , . . . , Xb) \ = 

1*1 II *2 || || * 6 |. 
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We often use the notation M => x to denote the event (defined over some 
specified probability space) that at some algorithm M outputs value x. 

An adversary A is a probabilistic algorithm that takes zero or more oracles, 
these denoted as superscripts. 

Function Families, PRFs and SPRPs. Fix sets V,1Z and non-empty set 
1C. Let F: K. x V — > 1Z be a mapping. For each K £ K we write Fk(-) for 
F(K, •) and thus think of F as a function family indexed by K. Let Func(X>, 1Z) 
denote the set of all functions from T> to 1Z. Let A be an adversary. We define 
Adv prf (A) = Pr [ K <-• 1C ; A Fk (■> => 1 ] - Pr [ / <-• Func(X>, 1Z) : => ||. 

to be the PRF - ad vant age of A attacking F. We overload notation and write 
Ad Vp f (t, q, p) to mean the maximum of Adv^ rf (A) over all adversaries A that 
run in time t, ask q queries, these totalling /i bits in length. 

Fix integers k,n > 0, and let E: {0,l} fc x {0,1}" — > {0,1}" be a function 
family. If for every K £ {0, l} fc we have that Ek (- ) is a permutation (bijec- 
tive mapping), then £ is a blockcipher, and we call n the blocksize. We write 
Perm(n) for the set of all permutations over {0, 1}". We define Adv^ rp (A) = 
Pr [ K {0, l} k : A B *(-). B *(0 => l] - Pr [ tt Perm(n) : '(•>=► 1 

to be the strong PRP- advantage of A attacking F. Again, we overload our nota- 
tion and write Adv^ >rp (t, q\, qf) to mean the maximum of Adv^ rp (A) over all 
adversaries A that run in time t, asking a total of q queries to its oracles. 

Encryption Schemes and MACs. An encryption scheme SE = (K se , Enc, Dec) 
is a triple of algorithms. The probabilistic algorithm K se samples from a finite and 
non-empty set /C se . The encryption algorithm Enc and decryption algorithm Dec 
take an input (K, £, H, M) £ IC se x N x {0, 1}* x {0, 1}* (the key, output length, 
associated data, and message or ciphertext) and outputs either a string or the 
distinguished output _L. The encryption algorithm can be probabilistic while 
decryption is always deterministic. We assume there are sets H C {0, 1}* (the 
header space), £CN (the requested length space), M. C {0, 1}* (the message 
space) such that for all K £ K. se it holds that Pr[Encje(l, H, M ) £ {0, 1}*] = 1 if 
(£, H, M) £ C x H x M and Pr [Enc*: (£, H, M) = _L] = 1 if {£, H, M) $ £ x H x M . 
For correctness we require that for all ( K,£,H,M ) £ JC se x it holds 

that Pr[D ec K {H, Enc K (£,H,M)) = M] = 1. 

We further make a restriction that whether or not Enc returns T does not 
vary with the message length (all other inputs kept equal). Formally, for all keys 
(K,£,H) £lC se xCxn and for all M,M' £ M x M such that \M\ = \M'\ it 
holds that for all coins Enc/^A H, M) = T iff Enc k{£, H- M') = JL. 

Let us make a few comments on what this syntax captures. First, because £ is 
a parameter of encryption, the syntax supports encryption schemes that return 
variable-length ciphertexts of the same plaintext M. Second, for any fixed plain- 
text length m, either all M £ {0, l} m encrypt to valid ciphertexts, or none of 
them do. Third, if £ and M are such that encryption would return T (e.g. because 
£ < \M\, or the encryption algorithm does not support ciphertexts of length £), 
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then it does so always. Finally, since decryption does not take the length pa- 
rameter £, our correctness requirement implicitly demands that the length of the 
underlying plaintext can be inferred given ( K , H, C ) where C = Enc %{£, H, M). 

Let E: {0,l} fe x {0,1}" — > {0,1}" be a block cipher. Then the encryption 
scheme CBC[E] has message space {0, 1}"+ (all strings that are a multiple of n 
bits). Key generation K se outputs a random K <— $ {0, \ } k . On input including a 
message M = Mi || • • • || M m e {0, l}" 1 ", encryption ignores any requested length 
or header inputs and returns the ciphertext C 0 || ... || C m+ i where Co <— * {0, 1}" 
and Ci <— E K (Ci-i ® A/*) for 1 < i < m. 

Fix an integer r > 0. A message authentication code (MAC) is a function 
family F: /C ma x V — > {0, 1} T , where r is the tag length of the MAC. 

Conventions. The running time of algorithms (e.g. adversaries) is relative to 
some implicit underlying RAM model of computation. The running time of an 
adversary is assumed to include the time to execute the entire experiment in 
which it executes, including (for example) the time for its oracles to execute. 
Throughout we fix the convention that adversaries do not ask pointless queries: 
they do not query an oracle on a value outside of its domain, nor on values 
that are defined to cause a T return value. Also, adversaries are assumed not to 
repeat queries to deterministic oracles. This convention is made without loss of 
generality. 

3 MAC-Encode-Encrypt and the TLS Record Protocol 

The TLS Record Protocol uses the MAC-then-encode-then-encrypt paradigm. 
The algorithm first applies a message authentication scheme to the message 
and header to derive a tag. The message and tag are then encoded into a bit 
string according to some encoding rules. Finally an encryption scheme is used 
to encrypt the result. 

Encoding schemes. An encoding scheme CODE = (encode, decode) is a pair of 
deterministic algorithms. The encoding algorithm encode takes an input 
(£,M,T) e N x {0,1}* x {0,1}* (the output length, message, and tag) and 
returns a string of length £ or the distinguished symbol _L. An encoding scheme 
is assume to have a fixed maximum allowable output length /: max . If £<\M\ + \T\ 
or £ > f m a. x then encode returns _L. The decoding algorithm decode takes an in- 
put in {0, 1}* and returns an element of {0, 1}* x {0, 1}* or _L), If either 
algorithm is called on an input outside of its specified domain, it returns an 
appropriate failure symbol. For correctness we require that, for all £, M, and T 
such that encode^, M, T) ^iwe have decode(encode(f?, M, T)) = ( M,T ). 

The MEE AEAD scheme. We define the MEE scheme that forms the basis 
for encryption in TLS, some modes of IPSec, and elsewhere. Fix some block 
size n. Let SE = (K, Enc, Dec) be an encryption scheme with a message space 
{0, 1}"+ (all strings of length a multiple of n). We assume that, given inputs of 
an appropriate length, the algorithms Enc, Dec are failure-free. Let F : /C ma x 
{0,1}* — > {0, 1} T be a function. Let CODE = (encode, decode) be an encoding 
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alg. K: 

alg. Enc k(£,H,M): 

alg. Dec k{H,C): 

K se K 

(A ma , K se ) <- K 

(A ma , Kse) <- K 

R ma <-* £ ma 

T «— * (H, M) 

X *— Decree (C) 

Ret (Am a, K se ) 

X <- encode^ - n, M, T) 

(M, T) <- decode(A) 


If X = T then Ret T 

If (M, T) = (_L, _L) then Ret JL 


Ret Y <— * EncK se (X) 

If F Kma {H, M)^T then Ret T 

Ret M 


Fig. 2. Algorithms for the MEE generic composition 


scheme for which the outputs of encode all have bit lengths a positive multiple 
of n. Then MEE[F, CODE, SE] = (K, Enc, Dec) is defined as shown in Figure [21 
Notice that Enc takes as input a requested ciphertext length l, as well as 
associated data H and message M. The inclusion of l allows for variable length 
padding to be used, while the inclusion of H allows us to incorporate additional 
fields in the MAC scope, for example, TLS’s sequence numbers and compression 
type and version fields. Notice that Dec can fail either because of a failure to 
properly decode the message X, or because of a failure to verify the MAC tag 
T. However, in our specification of the MEE scheme, these error events are not 
distinguishable. This prevents the attacks of 0, |2^| and is in-line with the TLS 
specification 0 In TLS, any such errors are fatal, leading to the destruction 
of the TLS connection and the disposal of the keys, meaning that an attacker 
can no longer interact with the protocol. In our description of MEE, these errors 
are non-fatal, allowing an attacker to continue to interact with the MEE scheme 
after an error has arisen. It is easy to see that security with non-fatal errors 
immediately implies security with fatal errors, since any adversary in the former 
case is more powerful than in the latter case. Thus any security results we prove 
about MEE will imply security for the more realistic version of MEE in which 
errors are fatal. 

TLS encoding. Let TLScode = (TLSencode, TLSdecode) be the encoding 
scheme defined in Figure 01 This scheme is parameterized by the integers ip, 
n, and r, representing the maximal padding length, a block length, and a tag 
length. Recall that we work with bits in our algorithmic descriptions and cryp- 
tographic analysis, rather than with bytes as in the TLS specification 0 - 
For TLS, ip can be as large as 2048, since the longest padding pattern that is 
permitted consists of 256 copies of the byte value FF X . However, an implemen- 
tation may select a smaller value of ip. Note that this scheme has a decoding 
algorithm permitting variable length padding of any length (not limited by ip). 
This decoding algorithm checks every byte of padding to ensure that it is correct. 
It also allows the final message M (obtained after removing padding and parsing 
the resulting string into message M and MAC tag T ) to be of zero length. Again, 
these choices are in accordance with the TLS specification 0 - 

Generalizing TLS encoding. For the purposes of our positive results, we 
will analyze a generalization of TLS encoding. An encoding scheme CODE = 


Tag Size Does Matter: Attacks and Proofs for the TLS Record Protocol 381 


alg. TLSencode)!, M, T): 

If £ mod n^O then Ret _L 

P ^/-(iMi+in) 

If p < 8 then Ret _L 
If p > ip then Ret _L 
If p mod 8 7^ 0 then Ret _L 
P <— int2byte(p/8) — 1 
X <— M \\T \\ P ■ ■ -p+i P 
Ret X 


alg. TLSdecode(X): 


If | A | mod n / 0 then Ret (_L, J.J 

(X,P)<- spht lx| _ 8i8 (A) 

6 <— byte2int(P) 

p <— 8 • 6 

If | X\ — p — t < 0 then Ret (_L, _L) 


For * = 1 to 6 do 


(X, P') <- split| X |_ 8)8 (X) 


If P =£ P' then Ret (_L f i) 
(M,T) 4- split| X |_ TiT (A:) 

Ret (M, T) 


Fig. 3. Algorithms for the TLS encoding scheme 


(encode, decode) is MEE sufficient if it is parameterized by a block length n and 
tag length r and has the following properties: 

(1) The output encod e(£,M,T) consists of a string M || T || P e {0, l}' m for 
some i > 1 and where \P\ = £ — \M\ — \T\. The particular padding P is 
uniquely determined by \P\. 

(2) Algorithm decode(X) for X = £ returns (M, T) only if encod e(£,M,T) 
outputs M || T || P. 

(3) CODE yields prefix-free padding, which means that for any M, M' such that 
\M\ = \M'\, for any T,T', the padding P returned by encod e(£,M,T) is 
not a prefix of the padding returned by encod e(£',M',T’) for any £ ^ £' . 

One may be able to relax property (1) in various ways and still prove security, but 
we focus on this case for greatest simplicity (while still covering TLS encoding). 
Property (1) and the invertibility of encoding indicate that for any strings M, T 
and number £ for which encode(£, M, T) does not output _L, there is a single 
string P such that encode)!', M,T) outputs M || T || P. 

In the proof of our main technical result, Theorem |21 it will be useful to 
assume that one can extract from encode a routine called Pad that, on input 
(\M\,£), simply returns the padding P from M || T || P. Similarly, it will be 
useful to assume that one can extract from decode: (1) a routine called Parse 
that, on input X, returns the appropriate triple M, T, P; and (2) a routine called 
PadCheck that, on input (|M|, P, |X|), returns 1 if P is the correct padding, and 
0 otherwise. It is easy to see that such routines can be extracted from TLSencode 
and TLSdecode. 

For notational clarity and letting F be some function family that will be clear 
from context, we let MEE-GEN-CBC = MEE[P, CODE, CBC] be a mnemonic 
defining the scheme that uses a MEE-sufficient encoding scheme CODE with 
CBC. In particular, we let MEE-TLS-CBC = MEE[P, TLScode, CBC]. When we 
need to be explicit, we write CBC[P] to mean that CBC encryption is done over 
a function family E. 
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main LHAEse: 

procedure Enc(f, H, Mo, Mi): 

procedure Dec(H, C): 

K <-» £ se 

Co <— * Encif (£, H, Mo) 

If6 = lAC^C then 

6 «— * ( 0 , 1} 

Ci <— s Encif (f, H, Mi) 

Ret Dec k(H,C) 

b' *- A Enc - Dec 

If Co = T or Ci =a T then 

Ret T 

Ret (b’ = b) 

Ret T 

C At Ci, ; Ret C7, 



Fig. 4. Length-hiding AEAD security game 

4 Length-Hiding Authenticated Encryption 

Here we formalize security goals for the TLS Record Protocol, and establish 
some basic results about these goals. We target authenticated encryption secu- 
rity, which requires (informally) that an adversary cannot generate new, valid 
ciphertexts itself, nor learn partial information about encrypted plaintexts. Note 
that this implies traditional chosen-ciphertext attack security. One security as- 
pect traditional AE security goals do not treat, however, is length hiding. As we 
saw in the previous section, the TLS standard includes the option for variable- 
length-padding so that applications can choose to hide exact message lengths. 
Even in the minimal-length-padding case some amount of length hiding could 
exist since one must pad to the next block boundary. Classical security goals, 
such as semantic security and the stronger AE notion mentioned above, ex- 
plicitly leak message lengths. Thus one cannot use these to reason about the 
length-hiding capabilities of MEE-TLS-CBC. We therefore give a new security 
notion to capture length hiding under chosen-length attacks. It generalizes the 
randomized AEAD security notion given in M- 

Length-hiding AEAD security. Let SE = (K se , Enc, Dec) be an encryption 
scheme and let A be an adversary. Figure 0 details a security length-hiding 
authenticated-encryption game. We define the LHAE-advantage (of A) to be 
AdvsE _ae (A) = 2- Pr [LHAE^ e true] - 1. Let LHAE1 (resp. LHAEO) be the 
LHAE game except with b set to one (resp. zero). Then a standard argument 
gives that Advs h E ’ ae (A) = Pr [ LHAE1 ^ e => true ] — Pr [ LHAE0 ^ e => false ] . We 
write AdvgE ' ie (<? e , p e , q,i- Pd) to mean the maximum of Adv^ - ae (A) taken over 
all adversaries A that run for t computational steps, asking at most q e queries to 
its left oracle that result in ciphertexts of total length /j, e bits, and qd queries to 
its right oracle that total /id bits in length. Restricting attention to adversaries 
A for which qd = fJ-d = 0 yields a length-hiding version of the IND-CPA notion, 
which we denote by LH-IND-CPA. We let Adv^' ind ' cpa (A) = Adv^‘ ae (A) for 
A that make no decryption queries. 

The LHAE notion captures chosen-length attacks along two dimensions. First, 
we allow | Mo | / |Mi| unlike in previous formulations of encryption security. This 
captures that an attacker cannot distinguish between the encryptions of two 
chosen messages of arbitrary lengths. We only require that queried messages 
both encrypt to a ciphertext (not _L). This restriction is necessary to avoid 
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trivial wins in which an attacker abuses two tuples [l, H, Mo) and (£, H, Mi) 
for which only one is handled by encryption. Second, we allow the adversary to 
adaptively pick l for each query. A weaker notion restricts attention to a specific 
i for the entire experiment. Indeed, this fixed-ciphertext-length notion may be 
sufficient for some applications. Our attacks (in the next section) show insecurity 
against this weaker notion, and so, by extension, the LHAE notion. On the 
other hand, our proofs target the stronger notion, meaning when the proofs are 
applicable, length-hiding security is achieved even if applications dynamically 
change ciphertext lengths for a single key as done by GnuTLS jlj] or if one 
implemented traffic morphing 0 using MEE. 

5 Attacking TLS for Short Messages and Tags 

Next we sketch attacks against the MEE scheme as used in TLS and as described 
in Section [3 In this section, for convenience, we work bytewise. 

We give an attack that causes a decryption collision (recall: two valid ci- 
phertexts that decrypt to the same plaintext). For concreteness, let n = 128 
and r = 80. This would be the case for truncated MACs Eai- Now suppose 
the attacker can obtain a ciphertext C = Co\\Ci\\C 2 for a message M with 
\M\ = 40. Then the attacker computes a new ciphertext C' = C' 0 \\C\ where 
C'o = Co ® 0x00 • • -i 4 0x00 0x00 0x10, where Oxab . . ./ r Oxab signifies a total of k 
copies of the byte value Oxab. The plaintext underlying the CBC mode ciphertext 
C is M || T || 0x11 • • -20 0x11. It is easy to verify that the plaintext underlying C 
is M || T || 0x01, which is correctly formatted and, since it has the same message 
and tag as in C, will verify. 

This attack can be extended to break MEE-TLS-CBC in the traditional IND- 
CCA sense. With parameters as before, suppose the attacker receives from its 
encryption oracle a 3-block encryption C of Mb, one of two 5-byte messages 
Mo, Mi. (The messages are the same length.) Then the attacker can modify C 
by truncation and bit flipping in the IV to produce a fresh ciphertext C' which 
is a valid encryption of Afy. At this point C may be submitted to the decryption 
oracle and the returned plaintext will be Mb, allowing the attacker to win the 
IND-CCA game with probability 1. While this attack rules out MEE meeting 
IND-CCA security (for short messages and MACs), notice that it does not seem 
to translate into a mountable attack on TLS. This is because an attacker that 
intercepts C and sends C' instead will not see any difference in the behaviour of 
the TLS connection as compared to having just sent C. One may conclude from 
this that CTXT security, which is violated here, is overly strong and the abilty 
to find decryption collisions does not endanger security. 

This intuition is wrong, and in fact what we’ll see is that IND-CCA is in 
fact too weak to capture the problem that decryption collisions give rise to. 
Consider a client sending a short message, either “YES” or ”NO” encoded as 
a 3-byte string or 2-byte string. Note these are of two different lengths, and so 
the IND-CCA security definition excludes such a pair from consideration. Let 
M £ {YES, NO} denote the message the client encrypts, which is not known to 
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the attacker. Assume the client uses extra padding (such as done by GnuTLS) 
to mask lengths; say the chosen extra padding during encryption was enough to 
fill up one extra block. The attacker intercepts the ciphertext C = Cq || C\ || C<i 
generated by the client. It then generates a new ciphertext C' = C' 0 || Ci where 
C' Q = Cq © 0x00 • • - i 2 0x00 0x10 0x10 0x10 0x10 . 

The attacker then forwards C' in place of C to the server and observes whether 
decryption succeeds (say, by seeing if the session is torn down). If decryption suc- 
ceeds, the attacker knows that M = NO and otherwise that M = YES. Why does 
this work? The plaintext for CBC underlying C is either NO || T no || 0x14 • • - 2 o 0x14 
or YES || T yes || 0x13 • • -ig 0x13. If the former, then decrypting C' succeeds since 
the padding underlying C' is exactly 0x04 • • - 4 0x04. But in the latter case, the 
CBC decryption step applied to C' yields YES || T' jes || 0x03 0x03 0x03 where 
Tyes = Tyes © 0x00 • • -g 0x00 0x10. Since the MAC tag is deterministic, it cannot 
be that this MAC verifies and so decryption fails. 

This attack extends immediately to handle TLS’s sequence numbers and asso- 
ciated data. It also extends to give LHAE attacks for a variety of pairs of message 
lengths, including combinations where one message is short (a few bytes) and 
the other is long (even up to 15 blocks in size). The example can be generalised 
to a variety of MAC sizes. Indeed, the attack still works in the extreme case 
where the MAC size is just 8 bits less than the block size0. in which case one 
of the messa ges in the attack is of zero length, a length permitted in the TLS 
specification jl2| ■ 

This distinguishing attack can be mounted in practice against TLS if an im- 
plementation uses sufficiently short MAC tags, such as those arising from the 
widespread use of truncated MACs (as done in IPsec and SSH). Fortunately 
TLS 1.2 does not support short enough MACs, but 80-bit truncated MACs are 
explicitly defined for use in extensions to TLS 1.2 m . In these extensions, then, 
we have a vulnerability: a man-in-the-middle attacker can violate TLS’s confi- 
dentiality design goal. 

6 The CRD Security Notion 

We saw in the last section that MEE with TLS paddding is always LHAE inse- 
cure when t + \M\ < n — 8 (where n is the underlying blockcipher length). Our 
goal in the rest of the paper is therefore to prove that when t + \M\ > n — 8 the 
MEE scheme is LHAE secure for the generalized TLS encoding scheme described 
in Section 0 This will yield as a special case the first proof that the full TLS 
Record Protocol is secure for standard chosen-ciphertext attack models. 

Consider first the non-length-hiding case. Then a natural approach is to tar- 
get the two properties IND-CPA and ciphertext integrity (CTXT). Recall that 
CTXT 0 rules out the ability of an attacker to produce a valid ciphertext not 
before returned by an encryption oracle. A result of Rogaway and Shrimpton 0 
states that satisfying both IND-CPA and CTXT is equivalent to AE security. 

2 This case is extreme because TLS is a byte-oriented protocol. 
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In the full versionwe state and prove a generalization of this equivalence for the 
length hiding setting and also show that MEE is length-hiding IND-CPA (LH- 
IND-CPA) . The proofs are easy extensions of the proofs in the non-length-hiding 
setting. 

The complexity of the analysis lies in showing CTXT. Consider the analysis 
by Krawczyk 0 for a restricted version of MEE with CBC that, unfortunately, 
does not cover any usage case of TLS. His proof shows that MEE is single-query 
CTXT in the case that r = n, and encoding is both injective and ensures that 
the tag fills exactly one plaintext block for the underlying encryption. These 
restrictions make a proof more manageable, in particular leading to a simpler 
final case analysis. In our setting, a direct CTXT analysis would require many 
more cases, these induced by the relaxation to variable length padding and the 
fact that tags may span multiple plaintext blocks. To ameliorate this complexity, 
we takemore modular approach to proving CTXT. 

CRD SECURITY. We introduce a new notion of security for encryption schemes 
called collision-resistant decryption (CRD) . This enables proofs of CTXT to be 
split into two self-contained parts and helps modularize our analysis further. 
Recall that plaintext integrity (PTXT) requires that an adversary not be able 
to construct a ciphertext that decrypts to a valid message that was not before 
queried to the encryption oracle. As mentioned above, CTXT rules out con- 
structing any new ciphertext. As shown by Bellare and Namprempre 0, PTXT 
is a strictly weaker property than CTXT. We show that CRD is exactly the 
“gap” between the two properties. Informally, CRD security requires that an 
attacker cannot produce a new ciphertext that decrypts to a message previously 
queried to the encryption oracle. One can see, in fact, that the attacks of the 
previous section are, at their core, breaking MEE in the sense of CRD. 

Let SE = (K se , Enc, Dec) be an encryption scheme, and let A be an adversary. 
We define the collision-resistant decryption advantage of A as Advj r E d (A) = 
Pr [ CRDgE => true ] where the game CRDse is defined in Figure 0 In the usual 
way, we write Advg E d (f, q e . /i e , q<i- Pd) to mean the maximum of AdvgE^A) over 
all adversaries A that run for t computational steps, asking at most q e queries 
to its encryption oracle that total at most p e bits in length and asking at most 
qd queries to its test oracle that total at most p d bits in length. 

Figure 0 also specifies the games CTXTse and PTXTse- We similarly define 
Adv^ E xt (A) = Pr [ CTXT^ e => true ] and Advf E xt (A) = Pr [ PTXT^ => true ] . 
We also define Adv^^i, q e , Pe, Qd, Pd) and Adv^ E xt (t, q e , p e , q d , Pd) analogously. 

The following theorem shows that the combination of PTXT and CRD secu- 
rity yields CTXT security. We omit the straightforward proof. 

Theorem 1. (PTXT + CRD =>• CTXT) Let SE = (K se , Enc, Dec) be an encryp- 
tion scheme. Then Advs^' ctxt (f, q e , p e , qd, Pd) < Advj ^~ p xt (t,q e ,p e ,q d ,Pd) + 
Adv£ E d (i, q e ,pL e ,q d ,p d )- □ 

Given Theorem 0 and our earlier remarks about LHAE being implied by LH- 
IND-CPA and CTXT, analyzing the LHAE security of any scheme can be sep- 
arated into showing that LH-IND-CPA, PTXT and CRD are achieved. This 
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main CTXTse: 

K*-$)C se -, 5^0; 

win <— false 

(H* ,C*) <— * J 4 Enc > Test 

Ret win 

procedure Enc (£,H,M): 

main PTXTse: 

K «— $ /C se ; >S <— 0; 

win <— false 

(H* , G*) <— * J 4 Enc ’ Test 

Ret win 

procedure Enc 

main CRDse: 

K^sICse-, <S^0; 

win «- false 

(H* , C*) <— s A Enc ’ Test 

Ret win 

procedure Enc (£,H,M)\ 

i <— i + 1 

Hi <— H ; Mi <— M 
Ci^EncK^H^Mi) 

S ^ S U 

Ret Ci 

procedure Test(R*, C*): 

i^i + 1 

Hi *— H ■, Mi <— M 
Ci^EncK{£,Hi,Mi) 

S ^SU{(Hi,Mi)} 

Ret Ci 

procedure Test(H* ,C*): 

i <— i+1 

Hi <-H ; Mi *— M 

Ci^$ Enc K {e,Hi,Mi) 

S ^SU{{Hi,Ci)} 

Ret Ci 

procedure Test(H* ,C*)\ 

M* <- Dec k(H*,C*) 

If M* iS 

Ret (M* £ _k) 

M* <- Dec K (H*,C*) 

If M* /TA (H*,M*) iS 

then win <— true 

Ret (M* ^ _L) 

M* <- Dec k (H*,C*) 

If M* ^_LA (H*,C*) iS 
A3 i : ( H*,M *) = 

(Hi, Mi) 

then win <— true; Ret 1 
Ret 0 



Fig. 5. The CTXT, PTXT, and CRD experiments. The set S and the counter i are 
global variables in each game. 


modularity is particularly beneficial for the MEE construction, where showing 
LH-IND-CPA and PTXT is straightforward. We defer discussion of these results 
to the full version. Instead, we focus next on the most involved task: showing 
CRD security of MEE using CBC and TLS padding. 

7 The CRD Security of MEE-GEN-CBC 

In this section we give a formal security bound for MEE-GEN-CBC. In the fol- 
lowing theorem we consider the case that r < n, where n is the blocksize of 
the blockcipher underlying CBC. In fact the bounds hold when r > n, too. Say 
that r = n + n' for some n' > 0. Then we can reduce to the case considered 
by Theorem |21 by assuming that the adversary actually controls the first n' bits 
of T ; essentially, they are treated as adversarially controlled message bits. Thus 
we can restrict our attention to the case that r < n, which simplifies our proof. 
Note that this does not significantly weaken our bound, since the dominating 
term is a function of n when r > n. We emphasize that, unlike prior proofs, we 
make no assumption about the position of the tag. 

In what follows, let the total plaintext length of an encryption query (£, H, M) 
in the CRD experiment be the total number of blocks that are consequently 
encrypted, i.e. the total number of blocks in M || T || P where T is the tag and P 
is the padding. 
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Theorem 2. Fix n > 0 and let E: {0,1}" x {0,1}" — > {0,1}" be a blockci- 
pher. Let CODE = (encode, decode) be MEE sufficient with blocklength n and 
taglength t < n. Let F: K, x {0, 1}* — » {0, 1} T be a function family. Let SE = 
MEE-GEN-CBC, where CBC is over blockcipher E. Let A be a CRD-adversary 
that runs in time t; asks q e encryption queries, the sum of whose total plaintext 
lengths is o e ; and asks q d Test queries, the sum of whose lengths is o d blocks. Let 
a = o e +a d . Let 6 m i n be the length (in bits) of the shortest message that A queries 
to its encryption oracle. Then, if r + 6 m i n > n, there exist adversaries B i , £? 2 
such that 

Adv| E d (A) <Ad + Advf rp (R 2 ) 

■5a 2 + a 2 + 2 a d a(a + 1 )q e + q e q d q e q d 
+ 2 " + 2 ^ 
where where a is the number of distinct padding patterns. Here Bi runs in time 
t + crTime/j and asks at most q + 1 queries, and B 2 runs in time t + 0(a) and 
asks at most a queries. □ 

The proof can be found in the full version. We note that for TLS with full 
variable-length padding the parameter a is equal to 256. 

Similarly, we can consider the case that minimal length padding is enforced 
by the encoding scheme. Equivalently, we can restrict to CRD adversaries that 
query ciphertext lengths i that result in padding only to the closest blocklength. 
Let us call such adversaries minimal-length padding respecting. This case results 
in exactly the same bound. However for TLS with minimum-length padding the 
value of a changes to 16. 

Corollary 1. Let all quantities and objects be as in Theorem OJ except that A 
is a minimal-length padding respecting CRD-adversary. Then, if r + 6 m i n > n, 
there exist adversaries B\,B 2 

Adv c s r E d (A) <Adv prf (B!) + Adv s B prp (R 2 ) 

•5cr 2 + a 2 + 2 o d a(a + l)q e + q e q d q e q d 
+ 2 " + 2 T 
where where a is the number of distinct padding patterns. Here Bi runs in time 
t + 0 -Times and asks at most q + 1 queries, and _B 2 runs in time t + 0(a) and 
asks at most a queries. □ 
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Abstract. A fundamental question in cryptography deals with under- 
standing the role that randomness plays in cryptographic protocols and 
to what extent it is necessary. One particular line of works was initi- 
ated by Canetti, Goldreich, Goldwasser, and Micali (STOC 2000) who 
introduced the notion of resettable zero-knowledge, where the protocol 
must be zero-knowledge even if a cheating verifier can reset the prover 
and have several interactions in which the prover uses the same random 
tape. Soon afterwards, Barak, Goldreich, Goldwasser, and Lindell (FOCS 
2001) studied the setting where the verifier uses a fixed random tape in 
multiple interactions. Subsequent to these works, a number of papers 
studied the notion of resettable protocols in the setting where only one 
of the participating parties uses a fixed random tape multiple times. The 
notion of resettable security has been studied in two main models: the 
plain model and the bare public key model (also introduced in the above 
paper by Canetti et. al.). 

In a recent work, Deng, Goyal and Sahai (FOCS 2009) gave the first 
construction of a simultaneous resettable zero-knowledge protocol where 
both participants of the protocol can reuse a fixed random tape in any 
(polynomial) number of executions. Their construction however required 
0(n e ) rounds of interaction between the prover and the verifier. Both in 

* Supported by the Singapore National Research Foundation under Research Grant 
NRF-CRP2-2007-03, the National Natural Science Foundation of China Un- 
der Grant NO. 60803128, and the National 973 Program of China under Grant 
2007CB311202. 

** Supported by the National 973 Program of China under Grant 2007CB311202. 

* * * Supported by the National 973 Program of China under Grant 2011CB302400 and 
the National Natural Science Foundation of China under Grant 60970152. 

1 Supported in part from a DARPA/ONR PROCEED award, NSF grants 1118096, 
1065276, 0916574 and 0830803, a Xerox Foundation Award, a Google Faculty Re- 
search Award, an equipment grant from Intel, and an Okawa Foundation Research 
Grant. This material is based upon work supported by the Defense Advanced Re- 
search Projects Agency through the U.S. O ffice of Naval Research under Contract 
N00014-11-1-0389. The views expressed are those of the author and do not reflect 
the official policy or position of the Department of Defense or the U.S. Government. 

D.H. Lee and X. Wang (Eds.): ASIACRYPT 2011, LNCS 7073, pp. 390- |l06j 2011. 

© International Association for Cryptologic Research 2011 


Resettable Cryptography in Constant Rounds 391 


the plain as well as the BPK model, this construction remain the only 
known simultaneous resettable zero-knowledge protocols. 

In this work, we study the question of round complexity of simultane- 
ous resettable zero-knowledge in the BPK model. We present a constant 
round protocol in such a setting based on standard cryptographic as- 
sumptions. Our techniques are significantly different from the ones used 
by Deng, Goyal and Sahai. 


1 Introduction 

A fundamental question in cryptography deals with understanding the role that 
randomness plays in cryptographic protocols and to what extent it is necessary. 
Progress on this question was made relatively early with the result of Goldreich 
and Oren showing that zero knowledge protocols cannot exist in the 

setting where the parties do not have access to any randomness resource at 
all. While this work showed that randomness cannot be completely eliminated, 
it simultaneously motivated several natural questions studying the “extent” to 
which randomness is necessary. A rich line of work deals with studying the usage 
of imperfect randomness in various settings (see jKLR.M&l IDOPSQ4] and the 
references therein). Another line of work (and the one dealt with in this paper) 
studies whether all the random choices can be made “offline” and be fixed once 
and for all. In other words, is it possible to design cryptographic protocols where 
a party can reuse the same random tape in multiple (or even all) executions? 

The question of reusing randomness in cryptographic protocols was first con- 
sidered in the context of zero knowledge by Canetti, Goldreich, Goldwasser, 
and Micali jGGGMOOj who proposed the notion of resettable zero knowledge. 
In resettable zero knowledge, the zero knowledge property is required to hold 
even if a malicious verifier can “reset” the prover to the initial state and start 
a new interaction where the prover uses the same random tape. Canetti et al. 
fCGGMOUl proposed constructions of resettable zero knowledge protocols based 
on standard cryptographic assumptions. Barak, Goldreich, Goldwasser, and Lin- 
dell jBGGLOlj showed how to construct zero knowledge protocols for opposite 
setting (where soundness is required to hold even if the verifier uses the same ram 
dom tape in multiple executions), which following Micali and Reyzin |IM R01 hl pl 
they call resettably sound (rS) zero-knowledge. Barak et. al. also showed that 
any resettable sound zero-knowledge protocol must make use of non-black-box 
simulation techniques (introduced in a breakthrough work of Barak jBarOin . 

Subsequent to these two works, a number of papers have studied the notion of 
resettable security primarily in the setting where only one of the participating 
parties uses a fixed random tape multiple times. Protocols have been proposed 
in the so called plain model (cf. |( IGGMdTlI IHGGI ,011 IK 1 ,V03I II )l I)7al l(4S()Tij . A 
larger body of literature studies resettable security in the so called bare public 
key (BPK) model. In the BPK model, a (possibly adversarial chosen) public 

1 Micali and Reyzin defined resettable soundness (and other soundness notions) in 

what is called the bare public key model. 
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key is selected and published by the verifier(s) before any protocol interaction 
starts 0 . Protocol for resettable security in the BPK model were studied in 
|( X4(lM0~ni IIVlP.fl 1 hi 1/1)1 //ml l( 1PV04I IDT ,D7hl IY Z07| . A more complete account 
of the related works is given in a later subsection. 

In a recent work, Deng, Goyal and Sahai (FOCS 2009) gave the first construc- 
tion of a simultaneous resettable zero-knowledge protocol where both partici- 
pants of the protocol can reuse a fixed random tape in any (polynomial) number 
of executions. Their construction was in the plain model. The construction how- 
ever required n e rounds of interaction between the prover and the verifier. Even 
in the BPK model, the DGS construction remains the best known simultaneous 
resettable zero-knowledge protocol. This motivates the following question: 

“Does there exist a polylogarithmic (or even constant) round simultaneous 
resettable zero-knowledge protocol in the BPK model?” 

Our Results. In this paper, we resolve the above question by constructing a 
constant round protocol for simultaneous resettable zero-knowledge in the BPK 
model. Our main theorem is as follows. 

Theorem 1. If there exist trapdoor permutations and collision resistant hash 
function families, then there exist constant-round resettably-sound resettable 
ZK arguments for NP in the BPK model. 

We leave open the question of round complexity of simultaneous resettable zero- 
knowledge in the plain model. Note that every resettable zero- knowledge protocol 
is also concurrent zero-knowledge fGGGMOOj. Hence, a breakthrough will be 
required to construct a protocol in the plain model which matches the round 
complexity of the one in the BPK model given in our paper. 

Our Techniques. The techniques used in our paper are quite different from the 
ones used in the DGS construction |DGS09| . Here we outline the main technical 
problem which is required to be resolved to obtain a constant round construction 
of simultaneous resettable zero-knowledge in the BPK model. 

The source of large round complexity in the DGS construction is the usage 
of recursive rewinding strategies (cf. jb.K99l [TTRITl IPHS92| 1 which are coupled 
with a novel non-black-box simulation strategy. In the BPK model however, 
it is indeed possible to avoid recursive rewinding because of the existence of a 
“long term” trapdoor associated with the public key of the verifier (which the 
simulator can try to extract). At a high level, our protocol in the BPK would 
follow the following structure. The verifier would first prove knowledge of a long 
term trapdoor associated with the public key using a zero-knowledge protocol. 
The prover would then give a witness indistinguishable argument of knowledge 
(WIAOK) proving either x € Lor that it “knows” such a trapdoor. Very roughly, 
now once the simulator extracts a long term trapdoor for a public key, it never 
needs to rewind a session with that pubhc key (and the simulation can be done 

2 Such a model is quite different from having a “setup assumption” where one would 

assume, e.g., that a trusted party ensured that the public key was chosen correctly. 
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straight line). This would lead to a much simpler rewinding strategy avoiding 
large round complexity. 

The key problem that arises while implementing the above approach in the 
simultaneous resettable setting is that obtaining a WIAOK protocol from the 
prover to the verifier is non-trivial and quite complex (since an adversarial ver- 
ifier may rewind the prover to extract the witness). Instead, we would like to 
resort to using ZAPs jl D N00I) which are two round WI protocol (and hence al- 
ready “secure" in the simultaneous resettable setting). Using a ZAP leads to the 
following problem. To arrive a contradiction in the proof of (resettable) sound- 
ness, the prover should be forced to prove a false statement about the trapdoor 
of the verifier (since we are not using an argument of knowledge protocol). This 
is turn means that the theorems the verifier proves about its long term trapdoor 
must also be false (this is important for the proof of resettable zero-knowledge 
to go through). However note that statements about the same public key (and 
the long term trapdoor) are being proven by the verifier in multiple sessions. To 
simulate its proof in all of those sessions, it seems that the verifier will need to 
use a (constant round) concurrent zero-knowledge protocol! 

To overcome this problem, the verifier needs to be able to prove different 
statements in different sessions with the same public key such that some of them 
could be false while the others are true. This might suggest that the witness 
(containing the trapdoor) used by the verifier in each session is different. Yet we 
need that once we extract a trapdoor for any of these sessions, it should be a 
long term trapdoor which should enable the simulator to simulate every session 
with this public key (including even future sessions). Our protocol uses a careful 
technique to resolve this tension between “using sufficiently different witnesses 
in each session” and yet having “a common long term trapdoor binding them 
all”. Our full protocol is described in Section 3. 

Related Work. Subsequent to the works of Canetti et al. jCQGMOOj and Barak 
et al. IBOOlYtH described above, a number of works have investigated the prob- 
lem of security against resetting attacks for zero-knowledge protocols in the 
plain model. Barak, Lindell, and Vadhan fRhVdAlj constructed the first constant- 
round public-coin argument that is bounded resettable zero- knowledge. Deng and 
Lin |DL07a| showed a zero-knowledge argument system that is bounded reset- 
table zero-knowledge and satisfies a weak form of resettable soundness. 

A larger body of work has investigated the same problems in a relaxed set- 
ting, called the “bare public key” (BPK) model, introduced by |(XRlM()(Ij . 
which assumes that parties must register (arbitrarily chosen) public keys prior 
to any attack taking place. jCGGMOfij presented a constant-round resettable 
zero-knowledge argument in the BPK model, the round complexity of which 
was improved by Micali and Reyzin |M R01 hj . Micali and Reyzin [M KOI h| also 
first investigated different notions of soundness in the BPK model, including the 
notion of resettable soundness. Di Crescenzo, Persiano, and Visconti |CPV04| 
described a resettable zero-knowledge protocol with concurrent soundness, and 
Deng and Lin jDL07bj improved the computational assumptions needed to ob- 
tain this result. Yung and Zhao |YZ07j also construct resettable zero-knowledge 
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and concurrently sound arguments in the BPK model, using a general and effi- 
cient transformation. Micali and Reyzin (MH.Olaj also proposed a stronger vari- 
ant of the BPK model for constructing bounded-secure protocols, and provided 
constant-round bounded resettable zero-knowledge arguments in this model; this 
result was strengthened by Zhao et al. jZDLZ03| also in a bounded setting for 
resettable zero knowledge. 

Goyal and Sahai jGS()9| study the notion of general resettable two-party and 
multi-party computation and presented general feasibility results when only one 
of the parties may be reset. In this work, we restrict ourselves to the study of 
the zero-knowledge functionality. 

Rest of this paper. We provide some basic definitions in section 2. In section 
3, we construct a constant-round resettably-sound concurrent ZK arguments for 
NP in the BPK model. At last, we apply the transformation of Deng, Goyal 
and Sahai jDGSflflj to the protocol constructed in section 3 to obtain our main 
result. 

2 Definitions 

Notation. We abbreviate probabilistic polynomial time as PPT. A function 
f(n) is said to be negligible if for every polynomial q(n) there exists an N such 
that for all n > N, f(n) < l/q(n). If L is a language in NP, we define the 
associated relation as the relation Rl = {(*, w) \ x £ L: w is a witness for ‘x £ 
U}. 

Interactive Arguments in the BPK Model. The bare public-key model 
(BPK model) assumes that: 

— A public file F that is a collection of records, each containing a verifier’s 
public key, is available to the prover. 

— An (honest) prover P is an interactive polynomial-time algorithm that is 
given as inputs a secret parameter 1", a n-bit string x £ L, a witness w for 
x £ L, a public file F and a random tape r. 

— An (honest) verifier V is an interactive polynomial-time algorithm that works 
in two stages. In stage one (key registration stage), on input a security pa- 
rameter 1" and a random tape r, V generates a key pair (pk, sk ) and stores 
pk in the file F. In stage two (proof stage), on input sk, an n-bit string x 
and a random string p, V performs the interactive protocol with a prover, 
and outputs “accept x” or “reject x”. 

Definition 1 (Complete Interactive Arguments in the BPK Model). 

We say that the protocol < P,V > is complete for a language L in MV, if for 
all n-bit string x £ L and any witness w such that (x,w) £ Rl, the probability 
that V interacting with P on input w, outputs “reject x ” is negligible in n. 

Malicious Resetting Provers in the BPK model. Let s be a positive poly- 
nomial and P* be a PPT algorithm on input 1". 

A resetting attack by a s-resetting malicious prover P* in the BPK model is 
defined as the following process: 
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— Run the key generation stage of V on input 1” and a random string r to 
obtain pk and sk. P* obtains pk and V stores the corresponding sk. 

— Choose s(n) random string pi, 1 < i < s(ri), for V. 

— P* is allowed to choose an instance x and initiate any (polynomial) number 
of sessions with each verifier and interact with it in the second stage (proof 
stage) of the protocol. The i-th verifier uses input sk, pi. 

Definition 2 (Resettably sound arguments in the BPK model). 

< P, V > satisfies resettable soundness for an NP language L in the BPK 
model if for all positive polynomial s, for all s-resetting malicious prover P* , the 
probability that in an execution of resetting attack, P* ever receives “accept x ” 
for x £ L from any of these oracles is negligible in n 

Malicious Resetting/Concurrent Verifiers in the BPK model. A reset- 
ting attack by an (s, ^-resetting malicious PPT verifier V* , for any two positive 
polynomials s and t, can be defined as the following process: 

— In the key generation stage, on input l n , V* receives s instances x\ , ..., x s ( n )€ 
L of length n each, and, outputs an arbitrary public file F 

— Choose 7*i, ..., r s ( n ) for P uniformly at random. 

— In proof stage, V* starts in the final configuration of the key generation stage, 
is given oracle access to s 3 (n) provers, P(x{, Wi,pkj,rk,F), 1 < i,j,k < s{n). 

— V* finally outputs its entire view of the interaction (i.e., its random tape 
and the messages received from the provers). The total number of steps of 
V* in both stages is at most t(n). 

The concurrent attack by V* is defined in the same way except that we choose 
s 2 random tapes r,: t j , 1 < i,j < s, and V* is allowed to interact with s 2 provers 
P(xi,Wi,pkj,rij,F) (1 < i,j < s) concurrently. Note that here each random 
tape is used only once. 

Definition 3 (Resettable zero- knowledge in the BPK model). < P, V > 

is (non-black-box) resettable zero knowledge for an NP language L in the BPK 
model if for every pair of positive polynomials ( s,t ), for all ( s,t) -resetting ma- 
licious verifier V* , there exists a simulator S, given as input the description 
of V* , such that for every x \, ..., £ s („) £ L, the following two distributions are 
computationally distinguishable: 

1. The output of V* at the end of a resetting attack described above, 

2. The output of S(V*, x \, ..., x s ( n )). 

Definition 4 (Concurrent zero-knowledge in the BPK model). < P, V > 

is (non-black-box) concurrent zero-knowledge for an NP language L in the BPK 
model if for every pair of positive polynomials (s, t), for all ( s , t)-concurrent ma- 
licious verifier V*, there exists a simulator S, given as input the description 
ofV*, such that for every x \, ..., x s ( n ) £ L, the following two distributions are 
computationally distinguishable: 

1. The output of V* at the end of a concurrent attack described above, 

2. The output of S(V*,x i, ...,x s ( n )). 
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3 Constructing Resettably-Sound Concurrent Zero 
Knowledge Arguments for NP in the BPK Model 

As a first step towards obtaining a simultaneous resettable zero-knowledge pro- 
tocol, we present a resettably-sound concurrent zero knowledge argument for an 
NP language in the BPK Model in this section. We will later show how to use a 
compiler described in to obtain our main theorem. 

Let ( G , E, D) be a semantically secure public-key encryption scheme, where 
G, E, and D denote key-generation algorithm, encryption algorithm, and de- 
cryption algorithm respectively. The commitment scheme Com is a statistically 
binding and computationally hiding commitment scheme. Com(s , r) denotes the 
commitment to a string s using the random tape r. The protocol proceeds as 
follows. 

The resettably-Sound Concurrent ZK Argument (P,V) in the BPK 
model 

The key registration stage: V runs the key generation algorithm G of a se- 
mantically secure public key encryption scheme (G, E, D) twice independently, 
( pko,sko ) = G(l",ro), ( pki,ski ) = G(l n ,ri), publishes (pko,pki) and stores r£ 
and skb for a random b £ {0, 1}. 

The proof stage (main protocol): 

Common input: x (supposedly in L) and verifier’s public key (pko,pk{). 

P’s private input: the witness w such that (x, w) £ Rj . 

V’s private input: the randomness r\ used in key generation for one of the public 
keys. 

P’s randomness: r p . 

V’s randomness: r v . 

1. P sends a commitment c = Com(e,r) to a random challenge e. 

2. V Computes two ciphertexts of 0 under pko and ph± independently, Co = 
E(pko,0,ro), c i = E{pki, 0, n); Send Co, c\ and the first message a of the 
3-round WI proof of Hamiltonian Cycle for the following statement: 

(a) there exists r$ such that ( pkb,skb ) = G(l n , r*) (equivalently, “I know 
one of secret keys”); and, 

(b) there exist ro and rq such that Co = E(pko. 0, r'o) and c\ = E(pk\, 0, ri) 
(i.e., both cipertexts are encryption of 0). 

The randomness used by V in this step as well as the rest of the protocol is 
generated by applying a pseudorandom function f Tv to the first message c 
of the prover. 

3. P sends e and executes the BGGL protocol in which P proves that either: 
1) there exists r such that c = Gom(e, r), or, 2) x £ L. 

4. V now responds to the challenge e by sending the final message z of the 
3-round WI protocol of Hamiltonian Cycle. 
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5. P executes a ZAP in which P proves that either x £ L or there exists r%, 
d £ {0,1}, such that ( pkd,skd ) = G(l n ,r^) and 0 = D(skd,Cd ) (i.e., one of 
the decryptions result to the message 0). 

Remark 1. For simplicity of presentation, we view com and ZAPs as non- 
interactive protocol requiring only one message in each direction. However our 
construction can indeed use two round protocols for each in a straight-forward 
way. 

Remark 2. Note that there is fine difference between the verifier and the prover 
in proving a ciphertext is an encryption of 0: the verifier uses the knowledge of 
randomness in encryption to prove the ciphertext is an encryption of 0, while 
the prover uses the knowledge of the secret key (more precisely, randomness 
that used to generate the public/secret key pair) to prove that one plaintext is 
actually 0. We stress that this difference is crucial for security proof. In the course 
of simulation, once our simulator extracts the randomness used for generating 
one of pko and pki (note that it does not need the randomness used in these 
encryptions by the verifier to execute a session), it can handle all sessions under 
the same public key (pko,pki). On the other hand, in the proof of soundness, the 
reduction algorithm, playing the role of verifier, needs only one of secret keys to 
execute a session, and this will enable it to use the power of cheating prover to 
either break the semantic security of the other public key scheme or break the 
WI property of the underlying 3-round WI protocol if such a cheating prover 
exists. 

We now state the following theorem. 

Theorem 2. The above protocol (P, V ) is a resettably-sound concurrent zero 
knowledge argument. 

The completeness is obvious. We will prove concurrent zero knowledge and 
resettable-soundness in next two subsections. 

Hardness assumption. Note that the 2-round statistically-binding commit- 
ment scheme and semantically secure public key encryption scheme can be based 
on trapdoor permutations, which also imply the existence of ZAPs. In addi- 
tion, we need to assume collision-resistant hash functions required for the reset- 
tably sound BGGL protocol (which makes use of non-black-box simulation tech- 
niques). Thus we can base the above resettably-sound concurrent ZK argument 
on the assumption of existence of trapdoor permutations and collision-resistant 
hash function families. 

3.1 Proof of Concurrent Zero-Knowledge 

Let V* be an concurrent malicious verifier. Assume w.l.g. in real world, on input 
a fixed YES instance sequence aq, ... ,x s ( n ) 6 L of length n each, V* generates 
s public keys F = (( pk^,pk { ), ..., (pfej^pfe®)), and interacts with s 2 (n) incarna- 
tions of prover, P(xi,Wi, (pk^ . pk { ) , rij , F) , 1 < i, j < s(ri). We now construct a 
simulator S as required by definition 0 
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S operates as follows. First, given a fixed YES instance sequence x \, ..., x s £ L 
of length n each as input, S runs the key-generation phase of V* to obtain the 
public file F. 

In proof stage, the first task of S is to extract one r b ( b £ {0, 1}) for each 
public key pair ( pk^,pk{ ) such that r b is the randomness used for generating 
one public key pk b . Note that once these r b ’s are obtained, S is able to carry 
out all sessions successfully in a straight-line manner by decrypting one of two 
ciphertexts (and relying on the soundness of the WI protocol). We say a session 
under public key ( pk 3 0 ,pk{ ) is solved if S already extracted the corresponding 
randomness r b \ otherwise, we say it is unsolved. 

The extraction is done in a sequential way. Once receiving an accepting ex- 
ecution of the 3-round WI protocol in an unsolved session under public key 
(pk'Q , pk[ ) , S rewinds to the beginning of step 3, sends a random challenge e! and 
runs the simulator for BGGL protocol to prove that c is a commitment to e! . 
When another accepting execution of this subprotocol is obtained, S solved all 
sessions under this public key. 

We would like to make the following remarks on the above extraction: 

— The non-black-box simulator for the standalone BGGL protocol handles only 
a single session, but it runs in a concurrent setting. This means, during 
the execution of this subprotocol, many other sessions may appear. To deal 
with this issue, we have the following strategy. First observe that all the 
other sessions are being executed honestly by the simulator (and the cur- 
rent rewinding thread will be aborted if an unsolved session reaches its final 
prover message). Thus, we consider these sessions (and the part of the simu- 
lator handling these sessions) as part of the adversarial machine itself. Then 
our modified non-black-box simulator Sim will now simply act on this new 
machine (by using its code) instead of the original one. 

— For the analysis of running time to go through, we use the Goldreich-Kahan 
technique to bound the running time of S. 

The detailed description of S follows. 

The Simulator S: 

Input: the code of V*, s YES instances x \, ..., x s . 

1. select a random tape for V*, and run the key-generation phase of V* to 
obtain the public file F = (( pk,Q,pk \ ), ..., (pfc^p/cf)). 

2. Set h<— (xi , ..., x a ) and S <— 0. 

3. Do the following: 

(a) Adopt the honest prover strategy until the final ZAP in every session, 
and extend h to include the transcript generated in this step. If V* 
terminates during this step, return h; Otherwise, go to next step. 

(b) If a solved session reaches the final ZAP, use the relevant randomness 
and secret key to produce a prover message of the final ZAP, and extend 
h to include this message. If V* terminates during this step, return h: 
Otherwise, go to next step. 
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(c) If an unsolved session reaches the end of of the underlying 3-round WI 
protocol, and the resulting transcript (a, e, z ) so far is accepting, do the 
following: 

— (Estimation) Suppose that the first two messages sent in the cur- 
rent session are c, (co,ci,a), and the corresponding public key is 
(p/cQ , pk\ ) . Rewind P* to the point (we call it rewinding point) 
where the verifier’s message (co,ci,a) was just sent, and repeat the 
following until it receives the accepting transcript ( a,e,z ) of the 
underlying 3 round WI argument n 2 times: send the honest chal- 
lenge e and choose independent randomness to execute the underly- 
ing BGGL protocol honestly; when another unsolved session reaches 
the final ZAP, S aborts the current threacfl 

We denote by X the total number of iterations (or threads) of this 
step. 

— (Extraction) Rewind V* to the above rewinding point again, and 
repeat the following until it obtains another accepting transcript 
(a,e',z') with e ^ e! until the X + 1 st iteration is reached. If all 
iterations fail, output “A*. 

• For the current session, S send a new random challenge e' ^ e, 
and then runs the non-black-box simulator Sim to prove that c 
is a commitment to e', where Sim proceeds exactly the same as 
the simulator for the BGGL protocol (except for acting on the 
new adversarial machine as described earlier). 

• For any other solved session, S executes the strategy described 
in step b; if an unsolved session reaches the final ZAP, S aborts 
the current iteration. 

(d) From the two accepting transcripts of the 3-round WI protocol (a, e, z) 
and {a,e'z'), compute the randomness rf such that ( pk 3 4 b ,skl ) = 
G(l n , r*)[j and update S to include r £ , and go to step 1. (Note that 
the above step 3(c) does not update history). 

The concurrent zero knowledge property of our protocol follows from the follow- 
ing claims. 

Claim 1 S runs in expected polynomial time. 

Claim 2 The output h by S is indistinguishable from real interaction. 

Proof of Claim 1. We first count the number of queries which the simulator 
makes to the adversary. Observe that the number of queries which S makes in 
a single solved session is a constant C. Suppose that for a specific session i, S 
enters step 3(c) with probability pi, then we have for this session, the expected 
number of iterations in step 3(c) is at most Pi ■ ( 2n 2 /pi ) < 2n 2 . Since V* is 
only allowed to initiate s 2 sessions, the entire simulation of S will make an 

3 in this case, S cannot proceed further without knowledge of the relevant secret key. 

4 Note that we can also compute the randomness that were used in the two encryptions 
to 0, but we don’t need it to carry out the final ZAP. 
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expected s 2 ■ C ■ (2 n 2 + 1) number of queries (which is polynomial). Since each 
query additionally requires only polynomial time, the overall running time of the 
simulator is expected polynomial. □ 

Proof of Claim 2. We first prove the probability that S outputs _L is negligible. 
Observe that S outputs _L only if it fails to extract a relevant secret key. 

Assume that for session i, S enters step 3(c) with probability Pi (taken over 
the random coins used in step 3 of the protocol; here prover proves that e is the 
correct challenge). We claim that in a single run of the Extraction in step 3(c), 
the probability that S obtains an accepting transcript of the 3-round WI protocol 
is at least pi — neg(n ) for some negligible function neg (except for a negligible 
fraction of protocol prefixes, i.e., transcripts of steps 1 and 2), otherwise, we can 
use V* to break either the computational- hiding property of the scheme Com 
or the zero knowledge property of the BGGL protocol. 

Note that the Goldreich-Kahan technique |GK96| guarantees that, the esti- 
mation n 2 /X of pi is within a constant factor of p, except with exponentially 
small probability, thus, we conclude that X > n 2 /(c-pi holds for some constant 
c except with exponentially small probability. 

Thus, the probability that S enters step 3(c) but doesn’t extract out the 
randomness used in generation of some public key is 

Pi( 1 ~Pi + neg) x 
<Pi( 1 — Pi + neg) n 


which is negligible. 

Observe that the only difference between S and the honest prover is that they 
use different witness to carry out the final ZAP in each session. Now by the 
WI property of the ZAP, we conclude that h is indistinguishable from the real 
interaction between honest provers and V*. □ 


3.2 Proof of Resettable-Soundness 

Assume that there is a PPT resetting P* that can cheat an honest verifier V (and 
complete a protocol execution) on a NO instance x with noticeable probability 
p. We shall now consider the following 5 hybrid verifier strategies. We shall prove 
that in each hybrid, the probability of the verifier being able to cheat (in some 
session) is still noticeable. In the final hybrid, we note that the above cheating 
probability must be negligible by the soundness of the ZAP system (and thus 
arrive at a contradiction). We shall first describe the hybrid strategies and then 
argue that the probability of cheating remains negligible in each. 

V \ : Follow the honest verifier strategy V, except that whenever V is instructed to 
applying the pseudorandom function specified by its random tape to generate 
randomness, V\ uses truly random coins (while still making sure that for a 
given prover first message c, it always uses the same random coins). 

V- 2 ‘. Follow the strategy below. 
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1. In the key registration stage, V2 acts exactly as V\. 

2. In the proof stage, V2 first picks a session i at random. 

Suppose that the first prover message in session i is c, and that the 
public key is (pko , pk\ ) and the secret key stored by V2 is skb for some 
be {0,1}. 

3. For all sessions having a first prover message different than c, V2 executes 
honest verifier’s strategy throughout the entire interaction between P* 
and V2. 

4. For all sessions having the first prover message c, V2 executes honest 
verifier’s strategy until when a session among them first completes an 
accepting proof via BGGL protocol for the correctness of challenge e, and 
then rewinds to the point where it received c for the first time, computes 
two encryptions of 0 under both public key pkb and pk\-b honestly again, 
produces a fake first massage a that can answer e successfully according 
to the 3-round WI protocol, and continue (without using the actual 
witness). 

V3: Follow the strategy of V2 except that, in item 4 of V2, computes an encryption 
of 0 under public key pkb and an encryption of 1 under public key pk\-b after 
extracting the challenge e and then rewinding (but produces the first message 
a in the same way as V2), 

V4: Follow the strategy of V3 except that, in all sessions, whenever V3 needs to 
use Tfj as partial witness to carry out the 3-round WI protocol, V4 uses r*_ b . 
V5: Follow the strategy of V4 except that, after rewinding, V5 computes two 
encryptions of 1 under pko and pki respectively in those sessions having the 
first prover message c. 

First, we have that P* can cheat V\ with probability negligibly close to p, due to 
the pseudorandomness of the pseudorandom function specified by the random 
tape of V. 

We now prove that P* can cheat V2 in a session having the first prover message 
c with probability negligibly close to p/poly, where poly is the total number of 
distinct first prover messages appeared in the whole interaction between P* and 
V2. Observe that for a randomly chosen first prover message c, P* will cheat V\ 
in a session having this first prover message with probability exactly p/poly, and 
that the only difference between the second run of V% and V\ is the way in which 
the transcript (a, e, z) is produced. Since in the 3-round protocol for Hamiltonian 
Cycle, the simulated transcript (a, e, z) is computationally indistinguishable to 
a real one, we conclude that V2 will accept with probability negligibly close to 
p/poly in a session having the first prover message c. 

We further claim that P* can also cheat V3 in a session having the first 
prover message c with probability negligibly close to p/poly. Notice that the 
only difference between V% and V3 is, in their second run (after rewinding), V 2 
encrypts to 0 under public key pki-b, while V3 encrypts to 1 under public key 

5 In the 3-round WI protocol for Hamiltonian Cycle, given a challenge e, there exists 
a simple simulator that can produce an accepting transcript (a, e, z) efficiently. 
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pki-b- Notice also that in both their second runs, the message a is produced 
independently of these encryptions. Thus, if the aforementioned claim is false, 
we can construct an algorithm V% to break the semantic security of the public 
key encryption scheme: V/, acts as 14 except that, after rewinding, it obtains 
the ciphertext (that is supposed to be 0 or 1) under the public key pki-b from 
an external challenger, instead of computing this ciphertext itself; When P* 
convinces 14 to accept in a session having the first prover message c, 14 outputs 
0, otherwise, outputs 1. Observe that if the ciphertext obtained from encryption 
oracle is an encryption of 0, then 14 is identical to 14; if this ciphertext is an 
encryption of 1, 14 is identical to V 3 . Hence, in a session having the first message 
c, if there is a non-negligible gap between the probability that 14 accepts and the 
probability that 14 accepts, 14 breaks the semantic security of the underlying 
public key encryption scheme. 

For strategies 14 and 14, we observe that the only difference between them is 
that they use different witnesses to carry out the 3-round WI protocol. Consider 
the following algorithm 14,*- 

V w i‘. 1. In the key registration stage, V un generates two public keys honestly, 
i.e., it computes ( pko,sko ) = G(l",ro), ( pk\,sk\ ) = G(l n ,r\), publishes 
(pko-pki). chooses a random bit b and stores both Tq and r\. 

2. Like 14, 14 n first picks a session i at random. Again, suppose that the 
first prover message in session i is c. 

3. For all sessions having a first prover message different than c, when a 
session with a distinct first prover message d was initiated for the first 
time, V wi executes honest verifier’s strategy to compute two encryptions 
of 0, Co = E(pko,0,ro) and c\ = E(pki, 0, ri), send (r - o,r’i,ro,ri) to an 
independent honest prover P wi of the 3-round WI protocol, and forward 
the P w i s first message a' along with co, c\ to P*; Once a session with the 
first prover message d first completes the correctness proof via BGGL 
protocol for the challenge d, 14,i sends d to P w i and forwards P w d s 
answer z' to P*; in all sessions with d as the first prover message, 14 h 
sends the same (a', Co, ci) to P*, and if P* reveals the same d again and 
completes the correctness BGGL proof, 14>i answers with the same z’\ 
Otherwise, V wi outputs “failure”. 

4. When P* sends c for the first time, 14« acts the same as the above 
strategy: computes two encryptions of 0, sends all random tapes to an 
independent P w i and forward P wi ’ s first message a (and the two encryp- 
tions) to P*. Once P* repeats c, V w i responds with the same a. When a 
session with the first prover message c first completes an accepting proof 
via BGGL protocol for the correctness of challenge e, it rewinds to the 
point where it received c for the first time, computes an encryptions of 
0 under public key pkb and an encryption of 1 under public key pk\-b, 
produces a fake first massage a that can answer e successfully according 
to the 3-round WI protocol, and continue. 

We first note that I4n outputs “failure” only if P* opens some commitment 
d to two different values and gives two accepting proofs for both. Due to the 
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statistically-binding property of the commitment scheme and resettable-soundness 
of the BGGL protocol, the probability that V W i outputs “failure” is negligible. 
Note also that, each independent P w i is run once (i.e., the 3-round WI proto- 
col is executed in concurrent setting), and that if all these P w i s uses (resp., 
r\ _ b ) as partial witness, then V wi is identical to V 3 (resp., V4). Note that the 
3-round WI protocol is concurrent witness indistinguishable. Thus, we conclude 
that the probability that P* cheats V4 in a session with the first prover message 
c is negligibly close to p/poly. 

Finally, notice that both V4 and V5 do not use the knowledge of the random- 
ness rfi (used in generation the public/secret key pair ( pkb,skb )) to carry out 
any session in their entire interaction, and the only difference between them is 
that they encrypt different messages under pkb in sessions having the first prover 
message c after rewinding. Similar to the analysis of V% and V3, due to the se- 
mantic security of the public key encryption scheme ( pkb,skb ), the probability 
that P* cheats V5 in a session with the first prover message c is negligibly close 
to p/poly. However, since both ciphertexts in these sessions are encryptions of 
1, by the soundness of the ZAP system, P* can cheat V5 in any one of these 
sessions only with negligible probability. Thus we have p is negligible. 

4 Simultaneous Resettable Zero-Knowledge Arguments 
for NP in the BPK model 

In this section, we apply the transformation of |l )GS0H| to the resettably-sound 
concurrent ZK arguments presented in the last section, and obtain simultane- 
ously resettable arguments for NP in the BPK model. This establishes theorem^ 
Given a resettably-sound concurrent ZK argument {Prc, Vrc) for NP lan- 
guage L in the BPK model and a common input x £ L, the simultaneously 
resettable argument ( P , V) for L proceeds as follows. 

The key registration stage: V acts exactly the same as Vrc in the key 
registration stage. 

The proof stage: 

Common input: x (supposedly in L) and verifier’s public key verJk 
P’s randomness: (7* , 7^) 

K’s randomness: (7* , 7^) 

1. P uses randomness 7 p to generate a random string r p (of appropriate length) 
and a first verifier message p p of a ZAP system. P sends C p = Com{r p ) and 
p p (where Com is a perfect binding commitment scheme). 

2. V sets (t p ,t p ) = / 7 i (x, verJz, C p ). Using randomness t p , V generates the 
first verifier message p v and compute a commitment C t = Com{ 0) to 0. V 
sends p v and C t . 

3. V and P execute the BGGL protocol in which V uses random tape t p and 
proves that Ct is a commitment to 0. In addition, in each verifier step in this 
subprotocol, P generates a ZAP proof along with each verifier message for 
the following OR statement: 
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(a) The current message is produced by an honest verifier of the BGGL 
protocol using random tape r p , or, 

(b) x £ L 

4. V sets (r p , Ty) = f 7 a (hist), where hist is the history so far except those ZAP 
proofs. Using randomness r®, V sends a commitment C v = Coto(t^) to P. 
In the remaining steps, V uses randomness rjj. 

5. P sets t p = f^(hist). Using random tape t p , P and V execute ( Prc, Vrc ) 
in which P proves x £ L, except that for every Vac’s message, we have V 
give an additional ZAP proof for the following OR statements: 

(a) the current message is produced by an honest verifier of (Prc , Vrc) 
using random tape t p , or, 

(b) Ct is a commitment to 1. 

V accepts if and only if Vrc accepts the transcript of (Prc, Vrc)- 

Remark. In fDGSOHj , the actual transformation of resettably-sound concurrent 
ZK argument into a resettably-sound resettable ZK argument takes two steps: 
1) transform the resettably-sound concurrent ZK argument into a hybrid sound 
hybrid zero knowledge argument; 2) transform a hybrid sound hybrid zero knowl- 
edge protocol into a resettably-sound resettable zero knowledge protocol. The 
second step is done by simply having each party refresh their randomness via 
a pseudorandom function. Here for the sake of simplicity and keeping the proof 
short, we merge these two steps into a single transformation (and refer the reader 
to jl )GS()ff| for a detailed formal presentation). 

Theorem 3. The protocol (P, V ) is a resettably-sound resettable zero knowl- 
edge. 

Proof sketch. The proof of this theorem is similar in spirit to the one appeared 
in IPGS!)!) . Here we just give a proof outline. 

The completeness is obvious. 

Resettable-Soundness. For a given cheating prover P* for (P, V) and a NO in- 
stance x £ L, we can construct a series of hybrid verifiers to show the cheating 
probability is negligible just like the hybrid verifiers V\, V 2 , V3, V 4 and V5 we 
set up in the previous section. Whenever a hybrid verifier needs to rewind in 
some target sessions with a specific first prover message C p , it always computes 
a commitment Ct to 1 in its first step, and then runs the simulator for the BGGL 
protocol to prove that Ct is a commitment to 0 in all sessions having the same 
first prover message c|| Whenever it produces a fake first message a of the 
underlying 3-round WI protocol in (Prc, Vrc), it uses the witness for “C t is 
a commitment to 1” to execute ZAP for the correctness of message a. Similar 
to the analysis presented in previous section, it is not hard to show that, if all 
building blocks are secure, the above protocol (P, V) is resettably-sound. 

6 Note that, all subexecutions of BGGL protocol in these sessions are actually identical, 
due to the resettable-soundness of ZAP and the instance x to be proven is a NO 
instance. This is why the simulator for BGGL protocol in the standalone setting 
works in this specific resettable setting. 
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Resettable ZK. Note that the BGGL protocol is resettably-sound, and hence for 
any malicious resetting verifier, if an execution of BGGL protocol in step 3 is 
accepting, the message C t sent in step 2 is guaranteed to be a commitment to 
0 (except with negligible probability). As a consequence, all verifier’s messages 
sent in the subprotocol ( Prc, Vrc ) are determined by the commitment C v sent 
in step 4 and the session history of ( Prc, Vrc ) due to the fact that ZAP is 
resettably-sound, that is, for a fixed session prefix until step 4, all subexecutions 
of ( Prc, Vrc ) are identical. This observation enables us to adopt essentially the 
same simulation strategy of S which works for concurrent adversary and prove 
the property of resettable zero knowledge. Given a resetting verifier V*, our 
simulator S’ proceeds as follows. For all sessions, S’ follows the honest prover 
strategy until step 4. When reaching the subprotocol (Prc, Vrc), S’ acts as the 
simulator S for (Prc, Vrc). For those solved sessions, S’ uses the relevant secret 
key as witness to carry out the final ZAP. When an unsolved session reaches the 
end of the 3-round WI protocol in (Prc, Vrc), S’ applies the extraction strategy 
of S to extract a secret key. We can perform a similar analysis and show that 
S’ will run in expected polynomial time and its output is distinguishable from 
that in the real interaction. fl 
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Abstract. We revisit the Two-Prover Bit Commitment Scheme of 
BenOr, Goldwasser, Kilian and Wigderson (BGKWSSj . First, we 
introduce Two-Prover Bit Commitment Schemes similar to theirs and 
demonstrate that although they are classically secure using their proof 
technique, we also show that if the provers are allowed to share quantum 
entanglement, they are able to successfully break the binding condition. 
Secondly, we translate this result in a purely classical setting and investi- 
gate the possibility of using this Bit Commitment scheme in applications. 
We observe that the security claim of IBGKWtfS) based on the assump- 
tion that the provers cannot communicate is not a sufficient criteria to 
obtain soundness. We develop a set of conditions, called isolation , that 
must be satisfied by any third party interacting with the provers to guar- 
antee the binding property of the Bit Commitment. 


1 Introduction 

The notion of Multi-Prover Interactive Proofs was introduced by BenOr, Gold- 
wasser, Kilian and Wigderson fBGK wflBj . In the Two-Prover scenario, we have 
two provers, Peggy and Patty, that are allowed to share arbitrary information 
before the proof, but they become physically separated from each other dur- 
ing the execution of the proof, in order to prevent them from communicating. 
It was demonstrated by Babai, Fortnow, and Lund |BFL91j that Two-Prover 
Interactive Proofs (with a polynomial-time verifier) exist for all languages in 
NEXP-time. A fully parallel amalog was achieved by Lapidot and Shamir jES57| . 

A quantum mechanical version of this scenario was considered by Kobayashi, 
Matsumoto, Yamakami and Yao jKMO.'il IK MY Dill lYaoO.'lj . To this day, it is still 
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an open problem to establish the exact power of Multi-Prover Quantum Inter- 
active Proofs. A rather vast litterature now exists on this topic (see |BH()P()81 , 
[CSUU07 , [DLTW08 . [IKM09 , [IKPSY08 , [KKMV08J, Wch06j). However, it 
is still not even clear whether two provers are as powerful as more-than-two 
pr overs. 

The Two-Prover Zero-Knowledge Interactive Proofs of |H( 4 K W$S| rely on 
the construction of a Bit Commitment scheme, information theoretically secure 
under the assumption that the provers cannot communicate. We refer the reader 
to their paper to understand the application of this Bit Commitment scheme to 
the construction of Two-Prover Zero-Knowledge Proofs. We solely focus on their 
Bit Commitment scheme for the rest of our work. In this paper, we consider 
several important questions regarding Two-Prover Bit Commitment schemes. 
We do not limit our interest of Two-Prover Bit Commitment to the context 
of Zero-Knowledge proofs; as already discussed in similar techniques 

lead them to a secure Oblivious Transfer under the same assumption. Given that 
any two-party computation may be achieved from Oblivious Transfer |Kil88| , we 
consider the security of such Bit Commitment scheme in a very general context. 
We discuss at length the security in a very general composability situation. 

In order to argue the security of their Bit Commitment scheme, the authors 
of [BGKW88j asserted the following assumption: 

"there is no communication between the two provers while 
interacting with the verifier". 

The current paper is concerned with the sufficiency of this assertion. We show 
is Section £21 that, although this assumption must be made , it is however con- 
siderably too weak, because we exhibit variations of the scheme that are equally 
binding classically but that are not at all binding if the provers were allowed 
to share entanglement. It is however a very well known fact that entanglement 
does not ahow communication. Although it is true that they can cheat if they 
can communicate, it is also true that they can cheat without communicating. 
Therefore the assumption that the provers cannot communicate is too weak. 

This observation can be turned into a purely classical argument by exhibiting 
a black-box two-party computation, that does not allow them to communicate, 
but that allows them to cheat the binding condition of the Bit Commitment 
scheme. This peculiar source of randomness may replace the entanglement used 
by the attack. Furthermore, the above assertion of BGKW can be interpreted as 
a prescription to the verifier that he should make sure not to help the provers to 
communicate while interacting with him. Again, this prescription would not pre- 
vent him from acting like the black-box we exhibit. Thus, a stronger prescription 
is mandatory in order to assert security. 

We carefully define a notion of isolation by which the two provers may not 
communicate nor perform any non-local samphng beyond what is possible via 
quantum mechanics. We finally formalize a set of conditions that any third party 
involved in a Two-Prover Bit Commitment scheme may satisfy to make sure he 
does not break the assumption that the provers are in isolation. In particular, we 
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make sure that if such a Bit Commitment scheme is used in another larger cryp- 
tographic protocol, its security properties will carry over to the larger context. 

1.1 Related Work 

The starting point of this research is clearly the Bit Commitment scheme intro- 
duced by BenOr, Goldwasser, Kilian and Wigderson |BGK The security 

of a Two-Prover Bit Commitment scheme against quantum adversaries has been 
considered in the past in the work of Brassard, Crepeau, Mayers and Salvail 
jBCMS98j . They showed that if such a Bit Commitment scheme is used in com- 
bination to the Quantum Oblivious Transfer protocol of |BCMS98j it is not 
sufficient to guarantee the security of the resulting QOT if the two provers can 
get back together at the end of the protocol. In the current work, we consider 
only the situation while the provers are isolated. 

The research by Cleve, Hpyer, Toner and Watrous |CHTW(R] is the main 
inspiration of the current paper. They have established some relations between 
Two-Prover Interactive Proofs and so called “non-locality games”. More pre- 
cisely, they showed that certain languages have a classical Two-Prover Interac- 
tive Proof that looses soundness if the provers are allowed to share entanglement. 
Some of our results are very similar to this. However, our new contributions are 
numerous. While fCHTWOlj focuses on languages, we focus on the tool known as 
Bit Commitment. This tool is used in many contexts other than proofs of mem- 
bership to a language: proofs of knowledge, Oblivious Transfer, Zero-Knowledge 
proofs, general two-party computations. Moreover inspired by the observations 
of jCHTWlifj . we analyze the security of such Two-Prover tools in a completely 
classical situation. We conclude that proving security of such protocols is very 
subtle when used in combination with other such tools. We also argue that the 
claim of security of the protocols of jBGKW^S] requires a lot more assumptions 
than the mere “no communication” assumption (even in the purely classical 
situation). 

Despite the impossibility theorems of Mayers |May96| and Lo & Chau |L( '97| , 
the possibility of information theoretically secure Bit Commitment schemes in 
the Two-Prover model is not excluded in the classical and quantum models. 
Indeed, the computations sufficient to cheat the binding condition of a Quantum 
Bit Commitment scheme in the above “no-go” theorems cannot, in general, be 
performed by the two provers when they are isolated from each other. This is 
the reason why these theorems do not apply. 

In a closely related piece of work, Kent |Ken()5| showed how impossibility 
of communication, implemented through relativistic assumptions, may be used 
to obtain a Bit Commitment scheme similar to BGKW that can be constantly 
updated to avoid cheating. Kent proves the classical security of his scheme while 
remaining elusive about its quantum security. However, he claims security of one 
round (see |Ken()5| . Lemma 3, p. 329) of his protocol which is more or less the 
same as our Lemma [3 Unfortunately, his proof is incomplete as pointed out in 
our proof of the Lemma. But we clearly recongnized that he was first to address 
this question. 
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A very different set of results jBCU+Ofi] relates non-locality boxes and two- 
party protocols such as Bit Commitment and Oblivious Transfer. These are only 
marginally connected to the current research. They showed how these crypto- 
graphic protocols may be securily implemented from those non-locality boxes. 
On the cotrary, we show how to break such protocols using non-locality boxes... 

2 Preliminaries 

2.1 Isolation 

First let us define the condition imposed on the two provers: we use the word 
isolation to describe the relation between Peggy and Patty during the protocol. 
The intuitive meaning of this term is that Peggy and Patty cannot communicate 
with each other, since this condition is explicitly imposed by the Two-Prover 
model. However, we introduce this new terminology instead of the traditional 
“cannot communicate with one another” because we noticed that the meaning 
of “no-communication” is too weak and must be very clearly defined to produce 
valid security proofs. This isolation will be formally defined in Section^] For now, 
the reader may follow his intuition and picture Peggy and Patty as restricted to 
compute their messages using only local variables. 


2.2 Bit Commitment 

The primitive known as “Bit Commitment” is a protocol in which a player Alice 
first sends some information to another player Bob, such that this information 
binds her to a particular bit value b. However, the information sent by Alice is 
not enough for Bob to learn b ( b is concealed). At a later time, Alice sends the 
rest of the information to unveil the bit b, and she cannot change her mind to 
reveal b and convince Bob that this was the value to which she was committed in 
the first step. The following definitions will be used to characterize the security 
of a Bit Commitment scheme. Note that the function pin) always refers to a 
negligible function in n. 

Definition 1. A Bit Commitment scheme is statistically concealing if only a 
negligible amount of information on the committed bit can leak to the verifier 
before the unveiling stage. 

Definition 2. A Bit Commitment scheme is statistically binding if, for b £ 
{0, 1}, the probability pb that Alice successfully unveils for b satisfies 

Po+Pi < l + n(n). (1) 

This binding condition was first proposed by Dumais, Mayers, and Salvail 
jDMsnnj . as a weaker substitute to the traditional definition pb < p(n) for 
either b = 0 or 1. This definition has been henceforward used to show security of 
many Bit Commitment schemes against quantum adversaries in various models, 
e.g. jDMSOOl irrcsnn IDFSS05] . 
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More recent definitions have been introduced since then f |UKH.SS(T7j i that 
appear to be better characterization of Bit Commitment security in a quantum 
setting. However, we have not been able, so far, to find protocols that satisfy 
these definitions. This, we hope, will be part of future work in this area. 

3 Two-Prover Bit Commitment scheme 

For simplicity reasons, we replace the original scheme of fHCK W#%| by a far 
simpler and compact version, which we call “simplified-BGKW” (or sBGKW as 
a short-hand). Still, we strongly recommend the reader to for the 

details of the original construction. For an n-bit string r and a bit b, we define 
the n-bit string b ■ r := b A n | \b A r 2 1 1 ... | \b A r n . The scheme is as follows: 

Peggy and Patty agree on a uniform n-bit string w and a random bit d. They 
are then isolated from one another. 


Protocol 31 ( sBGKW - Commit to b ) 

1: Vic sends a random n-bit string r to Patty, 
2: Patty replies with x := (d • r) © w, 

3: Peggy announces z := 6 © d. 


Protocol 32 ( sBGKW - Unveil b ) 

1: Peggy announces bit b and the n-bit string w, 

2: Vic accepts iff w = ((& ® z) ■ r) ® x. 

Note that at the unveiling stage, as in the original scheme it is not required 
that Peggy be the one announcing b. It is as good to let Vic deduce b: Vic 
computes y := w ® x, if y = 0" he sets b := z and if y = r he sets b := z, and 
otherwise rejects. Indeed, Peggy may not even know b! 

3.1 BGKW’s Notion of Isolation 

The assumption made in |BGKW8%| is that Peggy and Patty are not allowed 
to communicate with each other. Based solely on that constraint, the following 
seems a “valid” security proof (it is more or less the same proof as in |BGKW8%| i. 


Theorem 1. Constraining the provers as in |B(lKW8Hj . the sBGKW protocol 
is secure classically. 

Proof. Vic does not know w, and w is uniformly distributed among all possible 
n-bit strings for both values of z. It follows that the two strings w and r® w have 
the exact same uniform distribution and are perfectly indistinguishable from one 
another. We can say the same for the pairs ( z , w) and (z, r(9w). Hence sBGKW 
is concealing. 
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Now suppose that Peggy and Patty would like to be able to unveil a certain 
instance of b both as 0 and as 1. To do so, Peggy would like to announce Wb 
such that uib = (b ■ r) ffi x. We note that this models the two possible dishonest 
behaviors for Peggy and Patty: honestly commit to b and try to change to b 
afterwards, and commit to nothing by sending some x and decide which b they 
want to unveil only at the unveiling stage. It follows that in both scenarios, a 
successful cheating strategy would allow to produce the two strings wo and wi, 
such that {wo, uii} = {x, r ® x}. However, the string u?o ® ud = a:®r®a: = ris 
completely unknown to Peggy by the no-communication assumption. Therefore, 
even using unlimited computational power, her probability of issuing a valid pair 
wo, wi is at most 1/2". Hence sBGKW is binding. 

Nevertheless, this result is incomplete Indeed, we show next how a correlated 
random variable can be used to invalidate the result of Theorem Q] while not vio- 
lating the “no-communication” assumption. This suggest that the conventional 
wording “no-communication” is insufficient as it is not explicit enough to cover 
any kind of cheating mechanism Peggy and Patty can employ. 

3.2 Cheating sBGKW with an NL-box 

An NL-box, short-hand for “Non-Locality box” introduced by Popescu and 
Rohrlich [PRM IPRQ7| . is a device with two inputs s and t, and two output 
bits u and v such that u and v are individually uniformly distributed and satisfy 
the relation f(s,t ) = u © w for some function /. The pair (.s, u) is on Peggy’s 
side while the pair (t,v) is on Patty’s side. Because u and v are individually 
uniformly distributed, no NL-box allow Peggy and Patty to communicate, in 
either direction. The NL-boxes are usually assumed as asynchronous devices, 
that is, feeding in the input s is sufficient to obtain u even if t has not been 
input yet, and likewise for t. Such a particular box, known as the PR-box, is 
defined for f(s,t ) = s At, where s and t are binary inputs. It is known that 
two classical players can simulate the PR-box with success probabilitjH at most 
75% for all s, t, while quantum players sharing an entangled state can achieve a 
success probability of cos 1 2 (77/8) « 85% (consult jCHTWOlj for details). 



® (s A t) 


Fig. 1. the cheating PR-box 


Let the two provers be given a black-box access to this PR-box. The following 
shows how this PR-box allows Peggy and Patty to unveil the bits committed 

1 The broad explanation is that we implicitly assumed the provers had only access to 
local variable. We’ll see we need to guarantee this restriction for the proof to hold. 

2 This result is shown optimal by enumerating every possible classical strategies. 
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Fig. 2. Using the PR-box 


> := x © {d ■ r) - 


Fig. 3. The cheating sBGKW-box 


through sBGKW in either way, at Peggy’s will. For each position i, 1 < i < n, 
Patty inputs in the PR-box the bit s := r* received from Vic and obtains output 
Xi := u from the PR-box, which corresponds to the i-th bit of the commitment 
string. Patty sends x to Vic. Peggy discloses z a random bit to Vic. To unveil bit 
b, Peggy inputs t := d := b@ z in the PR-box and obtains the output w t := v 
from the PR-box, which she sends to Vic together with b. 

If d = 0 then d A r* = 0 and thus w, = Xi which is the right value she must 
disclose. If d = 1 then d Ar, = r,- and thus w,, ® x l = ri or Wi = © r.-, which is 

again the right value she must disclose. 

Indeed, we can view an arbitrary cheat on the sBGKW as a non-local compu- 
tation between the provers as in Fig. E3 Essentially we have just demonstrated 
that an sBGKW-box can be emulated perfectly by perfect PR-boxes. However, 
a valid cheating strategy might not succeed 100% of the time, so an sBGKW-box 
that is correct 80% of the time, for instance, would be enough to break the bind- 
ing property. It seems quite obvious, nevertheless, that a PR-box that is correct 
80% of the time will not help implementing an sBGKW-box that is correct 80% 
of the time. For that matter, any PR-box that is correct a constant fraction 
p < 1 of the time will not help either... 

It is not obvious that a sBGKW-box with error probability greater than zero 
is equivalent to the PR-box, but it would be very interesting to prove either way. 


3.3 Quantumly Insecure - Two-Prover Bit Commitments 

We exhibit an intermediate scheme to emphasize how shared entanglement can 
be used to cheat with probability almost one a classically “secure” Two-Prover 
Bit Commitment. The protocol is a weaker version of the sBGKW scheme, called 
wBGKW, where the acceptance criteria of the unveiling stage is loosen to tolerate 
some errors. A second protocol (available in Sub-Section 13.711 is also a modified 
version of the sBGKW scheme where the acceptance criteria is based on a game 
described later, called the Magic Square game. 

A weaker acceptance criteria: the wBGKW scheme Consider a weaker 
acceptance criteria where the string w sent by Peggy can differ in at most n / 5 
positions from what it should be. Formally the verifier Vic is to accept b if 
d(w. ((& ® z) ■ r) © x) < n/5, where d(-) is the binary Hamming distance. The 
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interest of such a modification is that now a cheating quantum pair Peggy and 
Patty can use the non-local property of entanglement to approximate the PR- 
box and successfully cheat wBGKW, while, as we show next, the Bit Commitment 
is “secure” classically. To facilitate notation we add an index b to the string w, 
since w is different whether we unveil zero or one. Also, define as B the random 
variable corresponding to the value they unveil. 

Theorem 2. For any classical strategy, the probability that it outputs a string 
wo when B = 0 and wi when B = 1 s.t. E[d(uib, ((b© z) ■ r) ® x)\ < n/5 for both 
values of b, is exponentially small in n. 

Proof (of Theorem OJ). 

Wlog, we can assume the provers use a deterministic strategy that may pro- 
duce such a w o when B = 0, and w\ when B = 1, so they can in fact output 
both wo and W\ . Hence, Peggy can compute the string wq ® Recall that 
when d(wb, ((b ® z) ■ r) ® x) =0 then Wq 0 Wj = r. We want to determine 
the distance between wo © wi and r in our situation. From the theorem’s as- 
sumption, there exists a classical strategy that outputs wo and w\ such that 
E[d(wb, ((b © z) ■ r) © a;)] < n/5, for b = 0, 1. We easily obtain that for such a 
strategy, the expected distance from r is 

E[d(uio(Bwi,r)] = £[d(wo©nh,a;ffi(a:©r))] < E[d(wo,x)]+E[d(wi,x®r)] < 2n/5 

by the triangular inequality. Using a standard Chernoff bound argument, and 
since r is absolutely unknown to Peggy, her probability of outputting a string 
y = wq © Wi such that E[d(y, r)] < (1/2 — e) • n is exponentially small in n for any 

0 < e < 1/4. Hence, because 1/4 < 2/5 < 1/2, we conclude that such a strategy 
cannot exist except with exponentially small probability, and so unveiling must 
fail for one of the two possibilities. 

Conversely, this scheme is almost totally insecure against quantum adversaries. 

Theorem 3. There exists a quantum strategy that successfully cheats the 
wBGKW scheme with probability 1 — p(n). 

Proof (of Theorem 0). We saw in Section 13.21 that the PR-box, taken as a 
black box, correctly produces the needed Wb to unveil as b. Using the well- 
known result [e.g. |CHTW()lj ] that through entanglement, Peggy and Patty can 
optimally simulate the PR-box such that for each i taken independently, 1 < 

1 < n, the PR-box produces correlated outputs with probability cos 2 (7r/8) « 
0.85. Therefore, using the standard Chernoff bound, this independent quantum 
strategy yields that for both values of b, 

E[d(wi, ((b © z) ■ r) © x)] = (1 - cos 2 (7t/8)) • n 

with probability exponentially close to one. Having that (1 — cos 2 (7r/8)) • n < 
0.15 • n < n/5, we conclude that a pair of quantum provers defeats the binding 
condition of the scheme with probability 1 — p(n). 
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3.4 Discussion 

The limitation of Theorem 1 (and Theorem 2) is that it claims that the following 
non-local computation, named sBGKW2-box (see Fig. QJ , is a communication 


x, x 0 7- 


Fig. 4. the cheating sBGKW2-box 


device (which is obvious) assuming that any implementation of an sBGKW- 
box is sufficient to implement it (which is false, since the sBGKW-box is not a 
communication device, it is impossible to implement any communication device 
from it). 

However, these proofs are not wrong either since it is impossible to accomplish 
the sBGKW-box without some sort of communication, which also works for 
the sBGKW2-box. In particular, it means that this proof is seriously context- 
dependent. In a context where Patty and Peggy have access to a third party 
that scrupulously monitors that they are not communicating with each other, 
the proof does not hold anymore because using the third party as a sBGKW- 
box is not excluded. 

The bottom line here is that this proof is valid solely in a stand-alone security 
model. As soon as one starts composing such protocols, one has to, not only, 
monitor that the actions of the third party do not allow communication but also 
do not constitute any form of correlation between Patty and Peggy. 

This demonstrates that certain non-local correlations are enough to cheat 
Two-Prover Bit Commitment schemes while they are not enough to communi- 
cate. Thus we have to define the prover’s isolation in terms of these non-local 
correlations and not only in terms of communication. This is the purpose of 
Section El 

3.5 A Non-Local Box to Cheat the Original BGKW Scheme 

Similarly to the sBGKW scheme, we can define an analogous cheating box for the 
original BGKW scheme with two binary inputs s, t, and two uniformly generated 
ternary outputs x, y. 

The original protocol goes as follows: 

Peggy and Patty agree on a uniform n-trit string w. They are then isolated from 
one another. 


Protocol 33 ( BGKW - Commit to b) 

1: Vic sends a random n-bit string r to Patty, 

2: Patty replies with x such that for all k, Xk ■= a rk (wk) — b mod 3. 
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Protocol 34 ( BGKW - Unveil b ) 

1: Peggy announces bit b and the string w, 

2: Vic accepts iff w is such that for all k, b= cr rk {wk) — Xk mod 3. 

Where the a function of |BGK W88j can be re-written as the single expression: 

Vr 6 {0,1}, we {0,1, 2} 


a r (w) = (1 + r)w mod 3. (2) 

So using we want from the cheating NL-box that u := (s + l)v — t mod 3 
for each s , t, and uniformly chosen v. Because for any binary s. t we can easily 
define the inverse permutation over trits to be v := (f + u)(s + 1) mod 3, the 
following PR3-box does not allow to communicate since individually u and v 
are uniformly distributed. 


PR3 


( t + «)(« + 1) mod 3 


Fig. 5. A non-local box to cheat BGKW 


It is not hard to verify that the PR3-box that implements this non-local 
computation from s,t is exactly the one needed to cheat the original BGKW 
scheme. As with the PR-box, for each round i, Peggy inputs in the box s := ri 
and obtains the trit x,; := u, which she sends to Vie. If Patty wants to unveil for 
b, she inputs t := b in the PR3-box, which correctly outputs Wi := v. Clearly, 
they successfully cheat since 

Vi (1 + ri)wl — Xi mod 3 = (1 + ri){b + a;j)(l + rt) — Xi mod 3 
= (1 + ri) 2 (b + Xi) — Xi mod 3 
= (b + Xi) — Xi mod 3 
= b. 

We can also demonstrate that the PR3-box is as powerful as the PR-box. It 
is straightforward to check that the outputs x' and y' depicted in Figure 0 are 
indeed the correct outputs to cheat the sBGKW scheme. 

3.6 Magic Square Non-locality Game 

A square is a 3 x 3 matrix whose entries are in {0, 1}. A row is said to be correct if 
its parity is even, and a column is said to be correct if its parity is odd. We use the 
following definition of the Magic Square game (from jCHTWOlj l. which slightly 
differs from the original game due to Aravind |Ara()2| . The verifier Vic picks at 
random a row or column, say column Cj, and a position on Cj, i,j G {1, 2, 3}. 
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y + 2t mod 3 mod 2 
Fig. 6. Reduction from the PR-box to the PR3-box. 


He then asks the entries of column d to Peggy, and the value in position a:*- to 
Patty. The two provers win if the parity of c, is odd (more generally, if the row 
or column asked for is correct), and if the value returned by Patty matches the 
value at position a ;*• in Peggy’s answer. The following defines the validity of a 
square. 

Definition 3. A (3 x 3) matrix S is valid for zero if all rows of S xor to 0, and 
S is valid for one when all columns of S xor to 1. 

For instance the following matrix So is valid for zero while Si is valid for one: 


„ ro o oi „ r 1 ° 1 1 

So=[»JiJ, S,= [i.oj. 


(3) 


Any classical strategy successfully wins this Magic Square game with prob- 
ability at most (j|) ■ Remarkably, there exists a quantum strategy that allows 
Peggy and Patty to successfully win this game every time, see I^HTWAdirrarej 
for details. 


3.7 Magic Square Bit Commitment 

It is not hard to exploit the Magic Square game to build another Bit Commitment 
scheme. This scheme is particularly relevant in our study of Bit Commitments 
in the Two-Prover model as it is perfectly secure classically but can easily be 
cheated with probability one using a quantum strategy. The scheme is as follows: 

Peggy and Patty agree on a random bit v and n random squares Si such that 
Si is valid for v. They are then isolated. 


Protocol 35 ( MSBC - Commit to b ) 

1: Peggy computes x := v © b and sends x to Vic. 

2: Vic picks a pair of random trits r< and d and asks Peggy for Si(ri, Ci ). 

Protocol 36 ( MSBC - Unveil b ) 

It Peggy sends b to Vic, 

2 : Vic asks Patty for row number r* of Si ifb = x, or column number d of Si 
ifb = x. 

3: Vic accepts b if, for each i, the row or column that should xor to b does, 
and if the entry returned by Peggy matches with Patty’s answer. Vic rejects 
otherwise. 
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Theorem 4. Any classical strategy successfully cheats the binding property of 
the MSBC scheme with probability at most (§) n//6 , except with exponentially 
small probability. 

Proof (of Theorem^). 

Wlog, it is sufficient to consider deterministic strategies. Consider the strategy 
where only the entry (2, 2) is used to make the square Si correct for W{. When 
ti = 0 or 1, Peggy answers the line or column of Si as is. However, when fj = 2, 
she sets the entry (2,2) to the correct value such that a line xores to 0 or 
a column xores to 1. On query (yi,Zi), Patty answers the entry ( yi,Zi ) of Si if 
(j/i, Zi) (2, 2), otherwise she answers 0. It is not hard to show that this strategy 
is optimal, since Peggy knows all the information (the Si s, x, and r), and Patty 
knows nothing about x and r. 

The problem for the provers is that whenever b ■ r,; = 1, they succeed for at 
most only one of b £ {0,1}. This is because the square Si they share cannot 
be correct for both x % and Tel. Since r is uniformly distributed, by a Chernoff 
argument, r contains at least n/3 l’s. Thus, there is at least one of b 6 {0, 1} for 
which in at least n / 6 challenges the provers will answer correctly with probability 
at most 8/9 (the sum of the challenges where she succeeds with probability at 
most 8/9 for 0, and those where she succeeds with probability at most 8/9 for 1, 
adds up to n/3). Therefore, their probability of successfully cheating is at most 
(|)?i/6 £ or ail y c i ass i ca i strategy, except with exponentially small probability. 

However, there exists a quantum strategy that allows Peggy and Patty to 
successfully break the binding condition with probability 1 by winning the Magic 
Square game every time. 

Theorem 5. There exists a quantum strategy that successfully cheats MSBC 
with probability 1. 

4 Defining and Checking Isolation 

The existence of such an inputs-correlatec{| random variable, which does not 
allow communication but allows cheating of the sBGKW Two-Prover Bit Com- 
mitment scheme sheds some light on the limitations of the original assumption 

of |PCkW88l . 

Indeed, the assumption of |BCKW8~%| is necessary but not sufficient to guar- 
antee the binding property of the Bit Commitment scheme. Among its weakness, 
we note that it does not explicitly force any cheating strategy to be repeatable. 
The PR-box not being a repeatable proces^ gives a first understanding why 

3 We emphasize that at least one of the “inputs” to the random variable needs to 
be obtained once the provers are isolated, otherwise such a random variable can 
be shared while the provers are together, and is thus useless to cheat the sBGKW 
scheme. 

4 The PR-box cannot be repeated to generate two valid strings wo and wi. 
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we can still cheat the sBGKW scheme despite the result of Theorem QJ which 
implicitly assumed repeatability of the cheating strategy. 

Clearly, to achieve the binding condition, a stronger assumption is needed. One 
could require that once the provers are isolated, there exists no mechanism by 
which they may sample a joint random variable which is dependent on the inputs 
they provide. We note that, among other things, this new condition excludes 
communication between the two provers, as desired. However, it excludes a lot 
more, such as shared entanglement! This is simply too strong; we need to be 
more subtle in the way we define this “mechanism to sample a joint random 
variable”. 

It seems reasonable to believe that nature does not allow the existence of a 
PR-box (consult jCHTWO^j b So why even ask for a stronger assumption than 
the no-communication assumption of |B(lKW8%j ? Part of the answer is that Vic 
can play the role of the PR-box, or any other third party. In no circumstances 
can we ignore the fact that both Peggy and Patty individually talk to Vic. 
Definitely, we need to consider this aspect of the protocol with great care. For 
instance, consider the scenario where r is sent to Peggy but unveiling is not done 
immediately after committing, but rather once Vic and the two provers have been 
involved in other, unrelated, interactive protocols. It is perfectly conceivable that 
within those protocols, for each i, Peggy and Patty succeed in sending ri and b 
to Vic, and then in a completely different context (or a moment of unawareness) 
Vic performs the required computation and output Xi and w, , which are then 
sent respectively to Peggy and Patty. It is obvious that if such a computation, or 
any alike, can take place with enough probability then Peggy and Patty would 
succeed in cheating the sBGKW protocol! 

More generally, we must not only consider Vic but any other third party, 
call it Ted, to which Peggy and Patty might have access to obtain correlated 
information. The previous situation highlights the fact that there is a whole class 
of functions with inputs coming from Peggy and Patty for which Ted must not 
send the outputs. Intuitively, each time Ted sends a message to either Peggy or 
Patty, he must ensure that the message does not outperform what Peggy and 
Patty can achieve using local variables in the sense of quantum mechanics. We 
propose two different approaches to formulate that statement as a criteria. The 
first considers the practical flavor of the problem, when Ted is working with 
instances of variables. The second approach is based on an information theoretic 
argument. At this point, we will not consider the scenario where the players can 
share quantum resources. 

Let Peggy be identified by Pq and Patty by Pi. The variable D e {0, 1} is a 
reference to player P D , and T e {0, {0}, {1}, {0, 1}} is a tag appended to each 
message that indicates to Ted the player(s) that is (are) eligible for receiving 
this message, where T = {0,1} means by both players and T = 0 means by none 
of them. The message about to be sent from Ted to prover Pq is represented by 
(m. T)o- We formalize Ted’s behavior as follows. 

Definition 4 (Practical criteria). Ted is said to be a “secure third party” if 
VD £ {0, 1}, Ted follows these points. 
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1. A message received from player Pd is tagged with T := {D}. 

2. A message generated without involving any of the previous messages, e.g. 
picking a random string, is tagged with T := {0, 1}. 

3. A message obtained from a computation involving previous messages is tagged 
with the intersection of the tags of all the messages involved in that compu- 
tation. 

f. A message ( m,T)n is sent to player Pd only if D gT. 

Note: It is important that the communication pattern between Ted and the 
isolated provers be specified ahead of time, otherwise the traffic pattern (not 
only the message contents) may leak information. 

We now explain why Ted will not send a message that allows Pq and P\ to com- 
municate or establish non-local correlations. Let (m,T)o be the message Ted is 
about to send to player Pn- From the fourth point of Definitional Ted will send 
( m,T)o only if it is tagged T = { D} or {0, 1}. Looking at the message’s tag as- 
signment rule number E3 this happens only if there is absolutely no message tagged 
(1 — D} or 0 used in the computation of (m, T) D . Using an induction argument, 
it is not hard to see that this happens only when all the variables involved in the 
computation of (m, T)d are independent of the information of Pi- d, that is, they 
have been themselves generated using variables tagged {D} or {0, 1}. Thus, such 
a message (m, T) o is also independent of the information known only to P\-d- 
Therefore, the messages sent by Ted do not let the two players communicate. 

The case of non-locality is slightly more subtle, yet pretty straightforward. 
Recall that in a general non-local process, both players use a message each and 
receive a message uniformly distributed, from their point of view, such that the 
four messages satisfy a certain relation. The received message does not allow 
to communicate with the other player. Suppose P\-d receives his message first. 
Since from his point of view, this message is uniformly distributed, Ted can in fact 
generate a uniformly distributed message, tag it with T := {0, 1} and send it to 
Pi-d ■ At this point, this behavior does not violate anything because non-locality 
has not been created yet. Then, Ted computes the message for P D ■ Because this 
message needs to satisfy the relation that binds together the four messages, at 
least a message tagged with T fy {D} and one tagged with T fy {1 — D} are 
used in its computation (it can be the same message), so the resulting message 
( m,T)D will be assigned a tag T := 0 because the intersection does not contain 
{D} nor {1 — D}. This message (m, 0) o is the one creating the non-local relation. 
However, from point E|of Definitional since D f_l, Ted will never send (m, 0) n- 

As mentioned before the previous definition, we can alternatively formalize 
Ted’s behavior in terms of entropy. The advantage of doing so is to enable anal- 
ysis of existing protocols. To satisfy the above practical criteria, the wrapping 
protocol must be designed in a rather restricted way. To consider general proto- 
cols, we offer this alternate definition. 

Let the message about to be sent from Ted to prover P D be represented 
by the variable ( M,T)d ■ The set of variables Sd,t represents all the variables 
(messages) with tag T sent by prover Pd to Ted, and the set of variables Rn.r 
all the variables (messages) with tag T sent by Ted to prover Pd before (M, T)d- 
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Definition 5 (Information based criteria). Ted is said to be a “secure third 
party” if VD £ {0,1}, Ted follows these points. 

1. An information received from player Pd is tagged with T := {dM 

2. A variable M to be sent to Pd is tagged with the less restrictive tag T £ 
{0, {-D}, {0, 1}} that satisfies the following relatioi Note that the calli- 
graphic tag T' stands for the tag {0, 1}/ ( T fl {-D}) and the calligraphic tag 
T" stands for the tag {D} U (T fl {1 — -D}) . 

H((M,T) d \S d ,{d}, Rd,{d], Rd, { o,i}, Si-d,t' , Ri-d,T', Ri-d, { o,i}) 

= H((M,T) d \Sd,T",Rd,T",Rd,{o,i},Ri-d,{o,i }) (4) 

3. A variable ( M,T) D is sent to player Pd only if D £T. 

We warn the reader that the tags and players’ variables D and 1 — D do not play 
any role in the computation of the entropies; they are only present to discriminate 
the variables and determine which ones to include in the conditional part of the 
entropies. Notice also that, contrary to Definition EJ a variable’s tag is set only 
when Ted considers sending it to a player, except for incoming variables. This 
relaxation will turn out to be the key point to explain why this generalized 
definition is not stronger than local variables on the players’ side. 

The process of determining which tag to assign can be broken into two steps. 
We start with the empty tag 0. The first step is to decide whether we can add 
{D} to the tag, or not. Notice that the right- hand side of equation 0) is the same 
for T £ {0, {-D}}. This results from the calligraphic tag T", which is equivalent 
to {D} in this case. On the other hand, the calligraphic tag T introduces the 
terms Si-d,{i-£>} and R\-d,{i-d} hi the left- hand side of equation 0 when 
T = \ D}. Thus, if the result of this first step is that the tag is at least {D}, then 
it means that the message to be sent is independent of the private information 
held by Pi-d • However, if we find that the tag is not even {D}, then it means 
that the message to be sent has some dependencies with the private information 
of Pi-d, and therefore the message should not be sent. 

If the first step terminates with a tag containing {D}, then we can move on 
to determine whether we can add {1 — D} to the tag, or not. We note that T 
won’t change for T £ {{D}. {0, 1}}, so the left- hand side is invariant. However, 
the calligraphic tag T" will remove the terms Sd,{d} and Rd,{d} from the 
right-hand side if we consider the tag T = {0, 1}. Hence, if equation 0 is 
satisfied with T = {0, 1}, it means that the message to be sent is not only 
independent of the private information of Pi-d (from the first step), but also of 
the private information of Pd ■ It follows naturally that this message be eligible 
for distribution to both players. 

5 This implies that the sets Sd,{o,i} and *Si-.d,{o,:l} are always empty. Therefore we 
do not include them in equation 0 , but a formal expression should include them in 
the conditional part on both sides of the equality. 

6 In order to write a clear equation, we had to specify to which player the message is 
intended. As a result, we did not include {1 — D} in the set of possible tags. It turns 
out that the empty set tag is sufficient to cover both communication and correlation. 
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The interest of Definition 0 is that it is more flexible in the tag assignation 
than the practical Definition 0| (and thus more general). Indeed, whenever Ted 
deliberately randomizes a message with new [uniformly distributed] information, 
the information-based criteria concludes that there is no problem to send to Pd 
a message that would have been tagged with T = {1 — D} or 0 by the prac- 
tical definition. The reason is that by randomizing completely all the [private] 
variables related to Pi-d, Ted is reducing the message he sends to Pd to what 
Pd can exactly achieve using local variables. That is to say, Pd already has 
(using local variables) a random view of Pi-d’s variables (and so of the global 
message), so there is no problem for Ted to first randomize Pi-d’s variables and 
then send this message to Pd- Note however that the variables used to random- 
ize will never be sent to Pd since they now carry the sensible information. We 
give two examples of these particular cases in the Appendix El 

Henceforth, the Two-Prover model’s assumption is based on this refined def- 
inition of isolation. 

Definition 6. We say that Peggy and Patty are isolated from one another if 
they cannot communicate with one another, and if they only have access as 
external resource to secure third parties. 

Using this new definition of isolation, we are now guaranteed that any strategy 
that Peggy and Patty try to perform through a third party can be achieved 
using only local variables on each side. Using this fact together with the general 
assumption that the cheating strategy is deterministic^, it is straightforward to 
fix the proof of Theorem |T| by arguing that their classical strategy can be run 
on each copy of the information to output both ujq and W\. 


5 Quantum Secure Bit Commitment in the Two-Prover 
Model 

We now present the modified version of the sBGKW scheme, called the mBGKW 
scheme, and prove its security against quantum adversaries. Although the two 
schemes are almost identical, it turns out the proof against quantum provers is 
easier with the latter. The security of the sBGKW and BGKW schemes will follow 
as corollaries of mBGKW’s security. The scheme is as follows: 

Peggy and Patty agree on an n-bit string w. They are then isolated as in 
Definition El 


Protocol 51 ( mBGKW - Commit to b ) 

1: Vic sends two random n-bit strings ro,ri to Peggy. 

2: Peggy replies with x := rb © w. 

7 A probabilistic strategy can be made deterministic by fixing the randomness to the 
best sequence. 
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Protocol 52 ( mBGKW - Unveil b ) 

1: Patty announces an n-bit string w 

2: Vic computes r := w © x. He accepts iff r €. {ro,ri} and deduces b from 


We want to show that the mBGKW scheme is secure against a quantum ad- 
versary. Clearly the commitment is concealing because Vic does not know w. 
This means that there exists w and w' such that x = ro ® w = rq ® w', and Vic 
cannot determine which one has been used. 

To prove that the binding property holds according to Definition |2l we again 
use the crucial observation that if Patty could simultaneously compute (wo, wi), 
then she would learn ro ® rq = wq 8 W\ . Let p® := Pr[Patty determines ro ® ri]. 
The next lemma relates p® to po + pi in the desired way. Notice however that 
because quantum information is involved this statement is much less straightfor- 
ward than the classical analog: po and p\ still correspond to running the attack 
twice on the same data but an attacker cannot do both. 

Lemma 1. Assume Patty has probability pb to unveil bit b successfully, for both 
values of b, and such that po+pi > 1 + e for e > 0. Then, Patty can guess ro © ri 
with probability p® > e 2 /4. 


Proof (of Lemma[lfj . 

Assume without loss of generality that when the unveiling phase of mBGKW 
starts, Patty holds the pure state \if) G H N of dimension N >2 n . Note that we 
do not need to consider the whole bipartite state between Peggy and Patty since 
when the unveiling phase starts, Peggy does no longer play an active role in the 
protocol and no communication is allowed between the two; hence her system 
can be traced-out of the global Hilbert space. Moreover, by linearity, the proof 
also holds if \ip) is replaced by a mixed state. Notice also that, from the new 
model’s assumption, Peggy and Patty cannot do better using a third party than 
what they can achieve with entanglement. 

Generally speaking, Patty has two possible strategies depending upon the 
bit b she wants to unveil. When B = 0, she applies a unitary transform Uq 
to \if) in order to get the state |V>o) := Vo lb’) that she measures in the com- 
putational basis {|w)(ry|} t(je {o,i}' 1 applied to the first n qubits of When 
B = 1, she proceeds similarly with unitary transform JJ\ allowing to prepare 
the state l^i) := Ui\ip). She then measures |^q) using the same measurement 
as for B = 0. All general measurement can be realized in this fashion, this is 
thus a general strategy for Patty. Notice that in the proof of Kent |Ken05j , the 
use of unitary transformations Uo and U\ is obscured by the fact that he works 
with projective measurements. Notice also that the measurement on the first 
n qubits of ((b) can alternatively be expressed by the measurement operators 
{|io)(iu| ® lM}we{ 0 , 1 }" on the whole state \ifb), where Im is the identity matrix 
on the system of dimension M = N/ 2". 
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From the values vq,t\,x G {0,1}” announced by Vic and Peggy during the 
committing phase, we define Wb := n, © x as the string Patty has to announce 
in order to open b with success. We have, 

Pb = (i>b\wb}{wb\ipb), ( 5 ) 

which by assumption satisfies 

Po + Pi > 1 + £) e > 0. (6) 

Notice that {ij>b\wb) is a generalized inner product^ since \wb) lives in a subspace 
of dimension 2" in H. N . Therefore when w b is obtained, there is some state left in 
of dimension N/ 2” which we label as t>b) (i.e. | ipb) has not been completely 
collapsed by the measurement). Thus, using © we can write | tpb) as 

I i’b) = VPb\wb)\v b ) + V 1 -Pb\®b)> ( 7 ) 

where ||(u6|{u;b|u;j-)|| 2 = 0. Note that the “state” has not necessarily a 

physical signification. It is simply a mathematical tool that allows us to conve- 
niently carry the statistics. 

We want to determine a lower bound for the probability p® . One possible way 
for Patty to compute ro ® r\ is to obtain wq and W\ individually. Again, one 
possible way to do this is to use the following strategy: 

1. Patty applies the strategy allowing to open B = 0 from |^>o) = Uq\^) re- 
sulting in the state |^o) after the measurement in the computational basis 
{|?u)(u;|} t „ £ {o,i} n has been performed on the first n qubits, and 

2. Patty prepares j'i/q) := UiU^ipo) before applying again the measurement in 
the computational basis {|w)(u;|} we {o,i} n on the first n qubits. 

Note that when preparing |r/>i), we applied Uq before U\. This is to put back 
the state \tjjo) as close as possible as the original state \'ip). From © and for N 
big enough, the probability to measure wo in the first step is not too small and 
so, by applying the inverse of all the unitary transformations generated by Uq, 
the state i/)) we get before applying Ui is a good enough approximation of the 
original | ip). Similarly we can say that the fidelity F([ij)). \ip}) is large enough. 
By invariance under unitary transformation, it follows that i/q ) approximates 
l^i) with the same fidelity F(|-0), |^}). 

In the strategy described above, the probability to determine ro ® n is 
PO-Pw^wo ■ 

As we said earlier, this is only one of the possible strategies to determine ro® ri, 
thus 

P® > PO ■ Pw! |fflo • 

8 If \w) € TL m and |^) G H N then for | tf>) N = J2 a i\ a i) M ® \bi) N ^ M we 
(wW=J2 i a i {w\a i )\b i ). 


define 
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Let us first find a lower bound on the probability pgji\w 0 to produce w\ given 
that wq has already been produced after stepQ] Since wo was obtained, the state 
P%.) is equal to |tOo)|wb). We have, 


h/d) = mlm 

= UiU^\wo)\vq) 



where (0 follows from isolating w>o)|uo) in Q. 0 and (ITOl) are obtained by 
definition of Uq and U\ respectively, and (1TT1) also follows from 0. At this 
point, Patty applies the measurement in the computational basis in order to 
obtain w\. Since we are interested only in finding a lower bound, the probability 
to obtain fni is minimized when UiUq\wq) = |®i)|%). It easily follows that, 


> — (Vpi - v7'i - -V 

Po v 

> A 

4po 


(12) 

(13) 

(14) 


where (TT2I) follows from (1111) . (ITU) is obtained from 0, and (fTO follows from a 
Taylor expansion. Finally, m gives the desired result since 


A 

P© > PO-Pviilwo > -J- 

Theorem 6. If there exists an algorithm A that can cheat the mBGKW Bit 
Commitment scheme with probabilities po +Pi > 1 + 2/\/2" then there exists an 
algorithm A! that can predict an unknown n-bit string (ro © ri) with probabilities 
better than 1/2”, which is impossible. 


Proof (of Theorem 0. From the isolation assumption, we 


Using the result from Lemma d 


2 n ‘ 


-!>- =7 e <A=- 

2” " 4 - ^2^2 


have 


( 15 ) 
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It follows that the binding condition is satisfied: plugging (THfll in Lemma QJ we 
get for any cheating strategies 


Po + Pi < 1 + - 


Notice that the proof presented in Lemma Q can easily be generahzed to a 
whole class of Bit Commitment schemes with the properties that information 
unknown to Patty is sent to Peggy to commit, and an exact answer is needed 
from Patty to unveil successfully the committed bit. Theorem EJ therefore holds 
for a whole class of Bit Commitment schemes in the Two-Prover model. 

Note that sBGKW is the same as mBGKW where ro := 000. ..0 is the all-zero 
string all the time. The statement and proof of Lemma [□ is equally valid for any 
fixed choice of either (but not both)roorribecause the probability to predict ro © ri 
remains exponentially small. Hence using only the model’s assumption we get: 
Corollary 1. If there exists an algorithm A that can cheat the sBGKW Bit Com- 
mitment scheme with probabilities po + pi > 1 + 2/\/2” then there exists an 
algorithm A' that can predict an unknown n-bit string r with probabilities better 
than 1/2”, which is impossible. 

However, as previously, this proof is valid solely in a stand-alone security model. 
As soon as one starts composing such protocols, this proof is not necessarily 
valid anymore. 

6 Conclusion and Open Problems 

This paper contained several results. It showed that Two-Prover Bit Commit- 
ment schemes may or not be secure quantumly when they are classically. It also 
considered for the first time ever the exact conditions that the provers and veri- 
fier must satisfy to obtain security proofs of such Bit Commitment schemes both 
classically and quantumly. 

A natural question would be to determine if the binding condition of ALL Two- 
Prover Quantum Bit Commitment schemes can be broken by a non-local compu- 
tation that does not allow to communicate. This would imply that the 
no-communication assumption is NEVER sufficient to asses security of such 
schemes. A hierarchy of non-local correlations may be imagined with higher up 
correlations simulating lower down correlations, but not the opposite. What is the 
Bit Commitment scheme that can be broken only by a very highest correlation ? 

In our definition of Bit Commitment, we assessed that cheating meant po + 
Pi > 1 + e for non- negligible e. However, recently more precise binding conditions 
have been introduced H2EESSD3- The results of this paper should be extended 
to suit this newer definition. 

The last natural question that results from our work is to find the complexity 
class corresponding to Quantum Two-Prover Zero-Knowledge Interactive Proofs 
(and similarly for k > 2 provers). Remember that these questions are not even 
settled for Quantum Two-Prover Interactive Proofs alone. As soon as the verifier 
is also quantum it is not clear how Bit Commitments may be used to “encrypt” 
the verifier’s computations, thus the classical methodologies fall apart. 
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A Isolation Examples 

Example 1: 

Let Pq send to Ted a message represented by ( X , {0})o (the variable X is tagged 
with {0} and comes from Pq). Then Ted generates a uniform random variable 
(IT, T) jj (its tag and receiver have not been set yet) and produces the message 
M = X ® IT for Pi. Checking with equation 0 we see there is no problem 
setting M’s tag to {1}, as 

H((M, (l})i|(A {0}) o ) = H((W,T) d ) = H((M, {1})!). 

This is satisfied since (IT, T) jj is uniform and has never been sent. However, the 
practical definition would have assigned the tag T := {0} since IT’s tag would 
have been {0, 1} (by the second rule) and {0} = {0} fl {0, 1}. Let Ted send 
(M, {l})i- We now get that for both D = 0 and 1, if T = {D} or {0, 1} then the 
left-hand side of equation 0) for IT is 

H((W,T)d\(X, {0}) o , (M, {1}) i) = 0, 
and the right-hand side is respectively 

H((W, {0})oi(X, {0}) 0 ) = H((W, {0}) 0 ) = 1, 

H((W, {l})i|(M, {l})i) = H((X,{ 0}) o ) = 1, 

H((W, {0, l})z>) = 1. 

Because equation 0 is not satisfied for both T = {D} and {0, 1}, IT’s tag is 
set to T := 0, and Ted should not send (IT, 0 ) d to neither of Pd, for £> = 0,1. 

Example 2: 

Similarly, we can send to Pi a message M that would have been tagged 0 by the 
practical definition. We take the PR-box relation as example. Suppose the vari- 
ables ( X , {0})o and (Y, {l})i have already been sent to Ted by the players (and 
tagged accordingly), and ( U , {0, 1})oE 3 has been sent by Ted to Pq. Let (IT, T) o 
be a uniformly distributed random variable chosen by Ted, with D G {0,1}. 
Consider the following variable for Pi, 

V = U®(W®X) AT, 

that is, we randomized the variable tagged {0} (i.e. X) in the PR-box relation. 
In the practical definition, because IT is chosen uniformly and independently of 
previous variables, the second rule would have assigned a tag {0, 1} to it, and so 
T’s tag would have been set to 0 = {0, 1} fl {0, 1} fl {0} fl {1}. However, checking 
with equation 0 , because IT has not been sent yet, we get that there is no 
problem setting T’s tag to {1}, as 

H((V, {l})i|(Y, {l}) h (X, {0})o, (U, {0, l})o) = 5 =R((T {l})i|(Y, {l})i, (U, {0, l})o). 

9 It is straightforward to verify that this is the less restrictive tag. 
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So Ted would send this message (V, {l})i to Pi. Is this a problem? No, because 
the classical limitations of non-locality have not been violated yet! The reason is 
simple: by randomizing completely all the [private] variables related to Po, Ted 
is reducing the message he sends to Pi to what Pi can exactly achieve using 
local variables. That is to say, Pi already has a random view of Po’s variables, so 
there is no problem for Ted to first randomize Po’s variables and then send this 
message to Pi. If we make the calculations, we see that indeed, for the variable 
V sent, the relation 

V = U ® X AY 

holds with probability 75%, just as in the classical scenario, and no W will never 
let us beat that. Of course, as in the previous example, the variable {W, T) D used 
to randomize can never be disclosed to any of the two players, and equation 0) 
agrees with that (IT’s tag will be set to T := 0 for both D). 


Efficient Zero-Knowledge Arguments from Two-Tiered 
Homomorphic Commitments 


Jens Groth* 

University College London, UK 
j . grothSucl .ac.uk 


Abstract. We construct practical and efficient zero-knowledge arguments with 
sublinear communication complexity. The arguments have perfect completeness, 
perfect special honest verifier zero-knowledge and computational soundness. Our 
zero-knowledge arguments rely on two-tiered homomorphic commitments for 
which pairing-based constructions already exist. 

As a concrete application of our new zero-knowledge techniques, we look at 
the case of range proofs. To demonstrate a committed value belongs to a specific 
iV-bit integer interval we only need to communicate 0(N 3 ) group elements. 

Keywords: Zero-knowledge arguments, sublinear communication, circuit satis- 
fiability, range proofs, two-tiered homomorphic commitments. 


1 Introduction 

Zero-knowledge proofs introduced by Goldwasser, Micali and Rackoff | HJ l are funda- 
mental building blocks in cryptography that are used in secure multi-party computation 
and numerous other protocols. Zero-knowledge proofs enable a prover to convince a 
verifier of the truth of a statement without leaking any other information. The central 
properties are captured in the notions of completeness, soundness and zero-knowledge. 

Completeness: The prover can convince the verifier if the prover knows a witness 
testifying to the truth of the statement. 

Soundness: A malicious prover cannot convince the verifier if the statement is false. 
We distinguish between computational soundness that protects against polynomial 
time cheating provers and statistical or perfect soundness where even an unbounded 
prover cannot convince the verifier of a false statement. We will call computation- 
ally sound proofs for arguments. 

Zero-knowledge: A malicious verifier learns nothing except that the statement is true. 
We distinguish between computational zero-knowledge, where a polynomial time 
verifier learns nothing from the proof and statistical or perfect zero-knowledge, 
where even a verifier with unlimited resources learns nothing from the proof. 

Recent works on zero-knowledge proofs E3 give us proofs with a communication 
complexity that grows linearly in the size of the statement to be proven and I'i^hll 

* Supported by EPSRC grant number EP/G013829/1. 
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also give us proofs where the communication complexity depends quasi-linearly on the 
witness-length. These works rely on standard assumptions; if one is willing to assume 
the existence of fully homomorphic encryption o the communication complexity can 
be reduced to the witness-length plus a small additive overhead 111 41231 . 

For zero-knowledge arguments the communication complexity can be even lower. 
Kilian m gave a zero-knowledge argument for circuit satisfiability with polylog- 
arithmic communication. His argument goes through the PCP-theorem 1131211 111 and 
uses a collision-free hash-function to build a hash-tree that includes the entire PCP 
though. Even with the best PCP constructions known to date |0| Kilian’ s argument has 
high computational complexity for practical parameters. Goldwasser, Kalai and Roth- 
blum o improve that state of affairs by constructing arguments that have both low 
communication complexity and highly efficient verification. 

A large body of research starting with Schnorr’s identification protocols El deals 
with zero-knowledge proofs and arguments over prime order groups. A class of zero- 
knowledge proofs and arguments known as ^-protocols 0 is often used in practical 
applications. Groth G2 also used prime order groups to develop practical sublinear 
size zero-knowledge arguments for statements relating to linear algebra over Z p for 
large primes p. 

One particular example of zero-knowledge arguments that has appeared in several 
applications, e.g., e- voting IfTTl and auctions £23 are range proofs. Here the prover 
holds a commitment to a value w and wants to convince the verifier that the value 
belongs to a specific integer interval [A; B). Boudot @, Lipmaa 11231 and Groth EDI 
have given constant size zero-knowledge argument for interval membership based on 
the strong RSA assumption. 

In prime order groups the best range proof technique known was for a long time to 
commit to the bits of the value and use OR-proofs 0 to show that the committed bits 
were 0 or 1. For iV-bit integers this communicates 0(N) group elements. Camenisch, 
Chaabouni and Shelat 0 improved this in the bilinear group setting by giving a zero- 
knowledge range proof with communication complexity 0( lo ^ N ). Chaabouni, Lipmaa 
and Shelat El improved this complexity with a factor 2. 

Our contribution. We construct zero-knowledge arguments for circuit satisfiability and 
range proofs that have perfect completeness and perfect zero-knowledge. For simplicity 
our constructions are in the common reference string model, but typically the common 
reference string can be chosen by the verifier at the cost of one extra round in the 
beginning to get zero-knowledge arguments in the plain model; we refer to the remarks 
at end of Section ITTI for further discussion. 

The circuit satisfiability argument has communication complexity 0(N 3 ) group el- 
ements when the circuit has N gates. The range proof has a size of 0(Nz ) group el- 
ements for N- bit intervals. The arguments have quasi-linear computational complexity 
for the prover and very efficient verification. An efficiency comparison of the arguments 
can be found in Tables Q] and El 

In the tables we give the conservative estimate of 0(N log 2 N) estimate for the 
prover’s computation, but as we will discuss at the end of Section El it can often be 
reduced to 0(N log N) using Fast Fourier Transform techniques. When comparing the 
range proofs, we are assuming a common reference string is available. This permits the 
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Table 1. Zero-knowledge arguments for satisfiability of circuits with N NAND-gates measured 
in group elements G, exponentiations E, and multiphcations M 



Rounds 

Comm. 

Prover comp. 

Verifier comp. 

Assumption 

Cramer et al. 0 

3 

O(N) G 

0{N) E 

O(N) E 

Dlog 

Groth El 

5 

0(Ni) G 

0(N log 2 N) M 

O(N) M 

DLog 

This paper 

7 

0(AT5)G 

0(N log 2 N) M 

O(N) M 

DPair 


Table 2. Range proofs in prime order groups measured in group elements G, exponentiations E, 
and multiplications M 



Rounds 

Comm. 

Prover comp. 

Verifier comp. 

Assumption 

Camenisch et al. |6| 

3 


0(^)E 

°(t£n) E 

g-SDH 

Chaabouni et al Q 

3 


G(dnv)E 

Oi i|]v)E 

(7-SDH 

This paper 

7 

O(Ni) G 

O (IV log 2 N) M 

0(N3)M 

DPair 


incorporation of the initial messages in 03 into the common reference string such that 
their range proofs only use 3 rounds instead of 4 rounds. 

Our zero-knowledge arguments can be instantiated in asymmetric bilinear groups 
where the computational double pairing assumption CSection lTTI) holds. In comparison, 
the range proofs II6I7I are based on the g-SDH assumption in bilinear groups. 

Techniques. Our main technical contribution is the batch product argument that can 
be found in Sectional Using homomorphic commitments to group elements lOTHI 
we can in combination with Pedersen commitments to multiple elements commit to 
N elements in Z p using only Ns group elements. Given 3 N committed elements 
Ui,Vi,Wi G Z p we generalize techniques from 112412 21 to develop a communication- 
efficient zero-knowledge argument for proving that the committed values all satisfy 

UiVi = Wi . 

Since the commitments are homomorphic we can now do both additions and multi- 
plications on the committed elements. This enables the prover to commit to the wires 
in a circuit and prove that they respect the NAND-gates. 

For the range proof we commit to the bits w \ , . . . , wn of the committed value. Using 
the batch product argument we can show with a communication complexity of 0(Ns) 
group elements that the committed bits satify WiWi = Wi, which can only be true if 
Wi E {0,1}. Once we have the committed bits, we can then use the homomorphic 
properties of the commitment schemes to compute w = Wi2* -1 . This shows that 

w belongs to the range [0; 2 N ) and can be generalized to a range of the form [A; B). 

2 Preliminaries 

We write y = A(x\ r ) when the algorithm A on input x and randomness r, outputs y. 
We write y <— A(x) for the process of picking randomness r at random and setting 
y = A(x: r). We also write y <— S for sampling y uniformly at random from the set S. 
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We give a security parameter A written in unary as input to all parties in our protocols. 
Intuitively, the higher the security parameter the more secure the protocol. We say a 
function / : N — > [0, 1] is negligible if /(A) = 0( X~ c ) for every constant c > 0. We 
write / w g when |/(A) — 17 (A) is negligible. We say / is overwhelming if / « 1 . 


2.1 Two-tiered Homomorphic Commitments 

A commitment scheme allows Alice to compute and send a commitment to a secret 
message a. Later Alice may open the commitment and reveal to Bob that she commit- 
ted to a. Commitments must be binding and hiding. Binding means that Alice cannot 
change her mind; a commitment can only be opened to one message a. Hiding means 
that Bob does not learn which message Alice committed to. 

In the Pedersen commitment scheme EH the public key contains the description 
of a group of prime order p and group elements g. h. A commitment to a G Z p is 
constructed by picking r <— Z p and computing c = g a h r . This commitment scheme is 
very useful because it is homomorphic, i.e., the product of two commitments is c- d = 
(g a h r ) ( g b h s ) = g a+b h r+s , which is a commitment to a + b. The Pedersen commitment 
can be generalized such that the public key contains g%, . . . ,g n ,h and a commitment to 
(oi, . . . , a n ) G is computed as h r rife=i 9k k - 

Abe, Fuchsbauer, Groth, Haralambiev and Ohkubo mm proposed commitment 
schemes for group elements. One of the commitment schemes uses a bilinear group 
with a pairing e:GxG-*I. Here G, G, T are cyclic groups of prime order p where 
we call G, G the base groups and T the target group. The pairing is efficiently com- 
putable, non-trivial and bilinear, i.e., for all x. y, a. b we have e(x a .y h ) = e(x, y) ab . 
The commitment scheme specifies non-trivial group elements v, «i, . . . , u rn G G and 
a commitment to (ci , . . . , c m ) G G is computed by picking at random t G G and 
computing C = e(t,v) Hj=i e ( c jt u j)- The commitment scheme is computationally 
binding under the computational double pairing assumption, which states that given 
random u,v G G it is hard to find non-trivial s.t G G such that e(s,u ) = e(t. v). 
The hardness of the computational double pairing assumption is implied by the deci- 
sion Diffie-Hellman assumption in G H 1 12 1 il Q Furthermore, the bilinearity of the pairing 
means that the commitment scheme is homomorphic in the sense that 


e(t,v) e(cj,Uj) e(t',v) = e(tt',v) e(cjc' r 


is a commitment to the entry-wise product of the messages. 

Combining the two types of commitment schemes it is possible to commit to com- 
mitments. If we compute eg = h r * n I- = i 9k * ar| d C = e(t , v) Hj=i e ( c j> u j) we have 
a single target group element that is a commitment to mn values {a.ffcljii k=> ■ Since 
both commitment schemes are homomorphic the product of two commitments C ■ C’ is 
a commitment to the sums of the messages ajk + o!- k . In our zero-knowledge arguments 


1 Galbraith, Paterson and Smart IT51 classified bilinear groups into 3 types. The commitment 
scheme described above uses type II or type III bilinear groups. In a type I bilinear group we 
could instead use the decisional linear assumption based commitment scheme from ED . 
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the homomorphic and the length-reducing properties allow the prover to do computa- 
tions on committed values in a verifiable manner and with little communication. 

The commitment schemes described above provide an example of what we will call 
a two-tiered commitment scheme. With the Pedersen commitment scheme in mind we 
will for simplicity assume the randomness is drawn from 7L p but it would be easy to 
generalize to other randomizer spaces. Furthermore, in the example given above the 
Pedersen commitments are perfectly hiding and we can therefore use trivial randomness 
t = 1 in the commitments to Pedersen commitments. This observation is incorporated 
in the following definition of a two-tiered commitment scheme. 

A two-tiered commitment scheme has three polynomial time algorithms 
(/C, com, com* 2 )). K. is a key generator that on security parameter A and integers rn, n 
returns a public key ck. The commitment key specifies cyclic groups Z p , G and T of 
prime order p. It also specifies how to efficiently compute com c fc : Z” x Z p — > G and 
com^* : G m —> T. 

Definition 1 (Homomorphic). We say the two-tiered commitment scheme is homomor- 
phic, when the maps com c / c and com^ are h p -linear. 

Definition 2 (Computationally binding). The two-tiered commitment scheme 
(1C, com, com*- 2 -*) is computationally binding if for all non-uniform polynomial time 
adversaries A and for all m,n= A 0 * 1 ) 

Pr ^ck <— /C(T*, m, n); (a, b, r, s, c, d) <— A(ck) : a b € Z^ r, s £ Z p c ^ d € G m 

com c fe(a; r) = com c fc(6; s) or com^(c) = com^(d)J w 0. 

Definition 3 (Perfectly hiding). The two-tiered commitment scheme (1C, com, com* 2 )) 
is perfectly hiding if for all stateful adversaries A and all rn, n € A 0 * 1 ) 

Pr n); a 0 , ai <- Z”; b <- {0, 1}; c com cfc (a 6 ) : A{ck, a 0 , ai, c) = &] = |. 

The zero-knowledge arguments we describe will work over any two-tiered homomor- 
phic commitment scheme with a large prime p. When giving concrete efficiency esti- 
mates we will assume we are using the bilinear group based scheme described earlier 
in this section. The public key for this commitment scheme consists of a description of 
a bilinear group (p, G, G, T, e) and m + n + 2 group elements in G and G. We will 
be looking at statements of size N and the minimal communication complexity will be 
obtained when m = 0(N 3 ) and n = 0(N 3 ) giving a public key size of 0(N 3 ) group 
elements. 

2.2 Special Honest Verifier Zero-knowledge Arguments of Knowledge 

We will for simplicity describe how our arguments work in the common reference string 
model and how to obtain zero-knowledge against honest-but-curious verifiers. Both of 
these restrictions can be removed at very small cost to get full zero-knowledge in the 
plain model as described in the remarks at the end. 
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Consider a triple of probabilistic polynomial time interactive algorithms (1C, V, V) 
called the common reference string generator, the prover and the verifier. The common 
reference string generator takes the security parameter A as input in unary and some 
auxilliary input to, n that specifies the size of the statements and generates a common 
reference string. In the zero-knowledge arguments in this paper, the common reference 
string will contain the public key ck for a two-tiered commitment scheme. 

Let R be a polynomial time decidable ternary relation. For a statement x we call 
w a witness if (ck, x, w) £ R. We define a corresponding common reference string 
dependent language L ck consisting of statements x that have a witness w such that 
(ck, x, w) £ R. This is a natural generalization of NP-languages; when R ignores ck 
we have the standard notion of an NP-language. 

We write tr «— (V (s) , V (t) ) for the public transcript produced by V and V when in- 
teracting on inputs s and t. This transcript ends with V either accepting or rejecting. We 
sometimes shorten the notation by saying (V(s), V(t)) = b, where 6=0 corresponds 
to V rejecting and 6=1 corresponds to V accepting. 

Definition 4 (Argument). The triple (1C, V, V) is an argument for relation R with per- 
fect completeness if for all non-uniform polynomial time interactive adversaries A and 
all m,n= A°W we have 

Perfect completeness: 

Pr[c/c *- /C( l\ m, n); (a:, w) <- A(ck) : (ck, x,w)(£R or (V(ck, x, w),V(ck, a:))=l]=l. 

Computational soundness: 

Pr \ck <— /C(1 A , m,n);x <— A(ck) : x ^ L ck and (.4, V(ck, x)) = lj « 0. 

Definition 5 (Public coin argument). An argument (/C, V, V) is public coin if the ver- 
ifier’s messages are chosen uniformly at random independently of the messages sent by 
the prover. 

We shall define an argument of knowledge through witness-extended emulation mm. 
Informally, the definition says: given an adversary that produces an acceptable argu- 
ment with probability e, there exists an emulator that produces a similar argument with 
roughly the same probability e and at the same time provides a witness. 

Definition 6 (Witness-extended emulation). We say the public coin argument 
(1C, V , V) has computational witness-extended emulation if for all deterministic poly- 
nomial time V* there exists an expected polynomial time emulator X such that for all 
non-uniform polynomial time adversaries A and all m,n= A°W 

Pr \ck <— 1C(1 X ,m,n)\ (x,s) <— A(ck); tr <— (V*(ck,x,s),V(ck,x)) : 4(tr)=lJ 

w Pr | ck <— lC(l x ,m, n); (x, s) <— A(ck); (tr ,w) <— X^ v ( cfe ’ x ’ s )’ v ( cfc ’ x ))( c fc,a;) : 

A( tr) = 1 and if tr is accepting then (ck. x, w) £ f?,j , 

where X has access to a transcript oracle (V* (ck, x, s ) , V(ck. x)} that can be rewound 
to a particular round and run again with the verifier using fresh randomness. 
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We think of s as being the state of V *, including the randomness. Then we have an 
argument of knowledge in the sense that the emulator can extract a witness whenever V* 
is able to make a convincing argument. This shows that the definition implies soundness. 
We remark that the verifier’s randomness is part of the transcript and the prover is 
deterministic. So combining the emulated transcript with ck, x, s gives us the view of 
both the prover and the verifier and at the same time gives us the witness. 

We define special honest verifier zero-knowledge (SHVZK) JS1 for a public coin 
argument as the ability to simulate the transcript without access to the witness as long 
as the challenges are known in advance. 

Definition 7 (Perfect special honest verifier zero-knowledge). The public coin argu- 
ment (1C, V, V) is a perfect special honest verifier zero-knowledge argument for R if 
there exists a probabilistic polynomial time simulator S such that for all non-uniform 
polynomial time adversaries A and all m,n = A 0 ^ 1 -* 

Pr \ck^-1C(l x ,m,n)-,(x,w,p)^ A(ck)-M*~ (V(ck,x,w),V(ck,x-,p)) : 

(ck, x, w) 6 R and _4(tr) = lj 

=Pr |cfc <— /C(1 A , m, n); (aj,io, p)<— .A(cfc); tr <— S(ck,x,p) : ( ck,x,w ) € R and .A(tr)=lJ . 

The plain model. We will describe our arguments in the common reference string model 
where the prover and verifier have a trusted setup. If we want to work in the plain 
model we can add an initial round where the verifier picks the common reference string 
and sends it to the prover. Provided it can be verified that the verifier’s initial message 
describes a valid common reference string this will still be perfect SHVZK because 
we do not rely on the simulator knowing any trapdoor information associated with the 
common reference string. 

Full zero-knowledge. For simplicity, we focus on SHVZK arguments in this paper. 
There are very efficient standard techniques 191 131 1911 to convert an SHVZK argument 
into a public-coin full zero-knowledge argument with a cheating verifier when a com- 
mon reference string is available. 

If we work in the plain model and let the verifier choose the common reference 
string, we can use coin-flipping techniques (for the full zero-knowledge property the 
coin-flips should be simulatable against a dishonest verifier) for the challenges to get 
private-coirfl full zero-knowledge arguments against a cheating verifier. Challenges in 
our SHVZK arguments are very short so both in the case with and without a common 
reference string the overhead of getting full zero-knowledge is insignificant compared 
to the cost of the SHVZK arguments. 

3 Batch Product Argument 

We will now present our main technical contribution, which is a batch product argument 
for committed values {uijk, Vijk,Wijk} f ^™jli k=i satisfying u ijk v ijk = Wijk. More 

2 Goldreich and Krawczyk ca have shown that only languages in BPP have constant-round 
public-coin arguments. 
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precisely, the statement consists of commitments Cu 1 , Cy x , Cw x , ■ , Cu M > CV M > Cw M • 
The prover argues knowledge of openings s tJ , Wjj k . £ Z p satisfying 

c Uij = com ck (uiji, . . . ,u ijn ;rij) C Vi = com f k (c un , ■ ■ ■ ,c Uim ) 

C , Hj = COm c h(Viji, ... , Vij n ; Sij) Cy i = com f k (c Vil , . . . , Cv im ) 

C-Wij = COm c fe(Wjji , . . . , Wij n ] tij) CvVi = com ^ck ( C wn ••••* c w im ) 

UijkVijk = Wijk- 

The argument will have communication complexity 0(M + m + n) . In order to explain 
the idea behind the argument let us first focus on soundness and for now postpone 
the question of how to get SHVZK. In the argument, the prover will demonstrate that 
she knows openings of Cu t , Cy* , CWi to c Uij , c Vij , c Wij and that she knows openings of 
c Uij , c Vij , c Wij using standard techniques. She will also know openings a a , p a ,bp,ap £ 
Z p of intermediate commitments c Qa = com c fe(a Q ; p a ), Cb (J = com c k{bp, erg) that she 
sends during the argument and which will be specified later. The argument runs over 
7 moves with the prover getting challenges x,y,z £ Z* in round 2, 4 and 6. The 
commitments c 0a are sent in round 3 and the commitments c/ VJ are sent in round 5. 
This means a a may depend on x but is independent of y and z, and by may depend on 
both x and y but is independent of z. 

The prover will demonstrate to the verifier that 

M m n 

E E E(w«fc - w ijk )x^ m+i ^ n+k = o. (i) 


Unless u^kV^k = w^k for all choices of i,j,k this has negligible probability of 
holding over a randomly chosen challenge x £ Z*. Our main obstacle is to build up 
this polynomial and convince the verifier that the equality 0 holds true using only 
0(M + m + n ) communication. 

We carefully choose appropriate linear combinations of the commitments and by the 
homomorphic property get corresponding linear combinations of the Uij k ,Vij k ,Wijk 
values such that the equality 0 emerges. During this process, we will also use expo- 
nentiations of some of the commitments to powers of x such that we get linear combi- 
nations of u tJ kX l ^ rn+1 ' )n+ ^ n+k and Wij kx ’^ rn + 1 ) n . Suppose for instance that the 
prover after seeing x computes and opens 

M 

H C Ui m+1 " = com i^ ( c ui , , C U J where 

M 

C Vi = com^ (c Vl ,..., c Vm ) where c v 

M 

" = com< ~ck ( c ™i ) • • • > Zwm ) where 


M 



,=n^ 

M 

C-uij = 1 1 C 
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^Y,^ i{m+1)n+jn 


and at the same time computes and opens 
TT c* = com c fc(ui, . . . , u n ; r) where 

3 = 1 

J2 c Vj = com cfc (ui, ...,v n ;s) where = Vljk 

|tei *= i j=i 

m Mm 

H C W™ — com cfe (w,'i , . . . , w n \ t ) where w k = ^ ^ w ijkX^ m+1 ^ 


Using only 3 m commitments and 3m + 3 elements in Z p this tells the verifier 

Mm Mm 

“*** = E E <%*z‘ lm+1) ” +:, " + ‘ «* = E E 


= EE« 


We now have that 


y^Xu k v k - w k )x k 
fe= l 


=E 


(E E w‘ ( ” +1) " +i “ + ‘)(E E »«■») -EE »«**‘ (m+1) ” + ” + ‘ 


contains the desired polynomial from 0 but there are some cross-terms corresponding 
to i ^ i' or j ^ f so the polynomial given above may be non-zero. 

We will choose the a a and bg values such that they cancel out the cross-terms. How- 
ever, we have to be careful that there are only 0(M + m + n) of them and that they are 
feasible to compute. We will therefore use an interactive technique that will enable the 
verifier to pick a a and b„ after seeing x. This introduces a second concern, namely to 
choose them in a way such that they do not affect the original equality we wish to get. 
We accomplish this by making sure that a a and bg are modified by factors y° and z® 
for a, (3 xfx 0 while the desired equality does not contain any such factors. To make this 
happen we will modify the opening process of the commitments Cu t and Cy i described 
above to open 


M 

Il< +> V =com < ^(c Ul ,...,c Um ) 


n c u" z3 = com cfe (ui, ...,u n :r) 
3=1 


M m 

n Cvi ’ = com^? (c Ul , . . . , c Um ) c z v . 3 = com ck (vx ,...,v n :/r) 


440 


J. Groth 


This gives us 


M m 

u k x k = E E u ijk x' l{m+1 ' >n+:,n+k y l z :i 


M m 


We now have 

n n M m Mm 

J2u k x k v k = X^(^XJuyfea; l(m+1)7l+: '" +fe y*^)(|^ E v iljlk y~ 1 ' z~ 3 ') 

n M M m m 

= E E E E E UijkX^+^+^vvj'ky 1 -' z j - j ' 

By splitting the sum into three parts corresponding to the three cases j = j',i = i 1 and 
j = j'j i 7^ i' and j 7^ j' and subtracting the w k x k ’s we get 


X>* - w k )x k = pjtfpww* - Wijk)x i{ - m+1)n+jn+k 

+ E E E E w i(m+1)n+in+ ' ‘W *' 

+ E E E E E ( 2) 

= E ED^ - ^K^ +1)n+in+fc 

+ E E 

+^E E E(E w* (m+1) ” +in+ VxE wtrV 


The prover will select 

M,M n to 

««= E EE 

f=i,*'=i fc=i j=i 


to , to n M M 

b= E E<E u ijk x l{m ~ 1 )”+•?"+* jy‘) ( E y‘vi'ji k y 1 ) 

j=l,/ = lfc=l *=1 *' = 1 

j~j’=P 
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and send the commitments {c 0a } a before seeing y and send {cb p }fj before seeing z. 
She will reveal randomness RgZ p such that 


n 


n cfp = com ckC^(u k v k - w k )x k \ R). 


This corresponds to the values in the commitments satisfying 

M m n 

Y a <*y a + Y b P Z0 = Y( UkVk - W k)x k - 


Keeping in mind the expansion of the right hand side © we get that with overwhelming 
probability over y, z this can only be true if equation © holds. 

In order to make the protocol SHVZK we add some commitments and values such 
that c Uj , c Vj , c Wj and u k ,v k ,Wk cannot reveal anything about Uij k ,Vij k , Wij k . Further- 
more, we add some dk values and c dk commitments to cancel out new cross-terms 
arising from the added values. This gives us the full batch product argument below. 

Common reference string: Two-tiered commitment key ck. 

Statement: Commitments G\j x , Cy - x , Cw 1 ■ ■ ■ , Cjj m , Cy M , Cw M e r ^- 

Prover’s witness: Values um, um, wni, ■ ■ • , UMmn , VMmn ■ WMmn e Z p and ran- 

Z„ such that for all 


domness m, sn,fn, . . . 

i e {l, . . . ,M},j e {!,. . 


Mm,SMm,tMm 

n},k€{ 1,..., 


c^. = com c k(uiji, . 
c Vij = com ck (viji,. 

Cwij = com c fc(«Jiji, . 


C Ut = com^ (c Uil c Uim ) 

Cvi = com^ ( c Vil , c Vim ) 

Cwi = COm^ ( c wn ,-■■■, C Wim ) 

UijkVijk = Wijk- 

1. V — > V: Pick uook, vook, wook and set uojk = vojk = wojk = 0 and Ujofc = 

v i0 k = w i0 k = 0 for i / 0 and j ^ 0. Pick r 0 o, soo, too, n, . . . ,T n <— Z p and pick 
roj,soj,toj 


Z p . Compute for j G {0, . 
c UOj = com cfe (u 0 fi, • ■ • , u 0 jn, roj) 

Cv oj = COm c fc(uoji , . . • , Vojnj Soj) 

'w oj = COm c fc(uiQ 3 i, . . . , Wojni toj) 
dk = UookVoOk — Woo k 

Cu 0 , Cvb , @W 0 , {Cd k }/? =1 . 

M} pick p, 

M,M 


} and k G {1, . . . , n} 


Send: c Uoo , c, 

2. V^V: x <- 

3. V -► V: For a G {-M, ...,-1,1. 


Cu o = comf^v,. 

C Va = cam2? (Cw ,.. 

Cw 0 =com^(c WO i,. 

c dk = com c k(d k ;T k ) 


- Z p and compute 


Y YY (u ^k xl ' 


:(m+l)n+jn- 


)Vi'jk 


j=0,i'=0 3= 0 k-l 


c a „ = com c fc(a a ; p a ). 
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Compute also for j G {1, . . . , to} 

M MM 

^=n<:r ,v ^=n<r +1) ”- 

j=0 j=0 i = 0 

Send. {c ac( } as{— m,...,— j {t-ty , , c^. } .JLj. 

4.7>^V: 

5. P — > V: For (3 e {— to, . . . , — 1, 1, . . . , to} pick erg <— Z p and compute 

j •/=»£ 

Define = com c fe(6 / a; erg) and send: {cbp}p£{- m ,...,-i i .. .,»>}• 

6. V <- V: * «- Z;. 

7. P — > V: Compute for A: e {1 n} 


uk = uook + x x Uijkx' (m ' 

■J r - r„„ - X X 

Vk = Vook + X X V iokV~ l Z ~ 3 

s = soo + Y X Hi -iV ' z ' 



R=Y rkxk + x p° 




Send: {uk,Vk,Wk}k = 1 ,r,s,t, R. 

Verification: Accept the argument if the following holds 

c uoo II c uj z ° = com c fc(ui, r) 

n o 

Cv oo n<= C °m c fc(ui, 

nC^com^c^...,^) 

Cw 00 n c w" = com cfc (wi, ...,w n ;t) 

n cs;‘ m+1)n = comg {c** 


n c t- n <c- n 


Qcfc(^(u.fcUfc — u’k)x k : R) 


Theorem 1 (Full paper). The argument given above has perfect completeness, per- 
fect SHVZK and witness-extended emulation if the two-tiered commitment scheme is 
binding. 
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Complexity. The communication complexity of the batch product argument is 3 ele- 
ments in T, 2 M + 5 m + n + 1 elements in G and 3n + 7 elements in Z p . 

Let us estimate the computation complexity assuming that we use the two-tiered 
commitment scheme we described in Section ITTl in an asymmetric bilinear group with 
base groups G, G and target group T. The verifier’s computation is 3m pairings and ex- 
ponentiations in the target group T and 5 M +2m+4n exponentiations in the base group 
G. Using standard techniques for batch verification some of the equations can be com- 
bined in a randomized manner and we may also use multi-exponentiation techniques to 
reduce the complexity further to 0( i 0 ^M+m+n) ') ex P onen tiations. 

A naive implementation of the prover would require 3m pairings and 0(M +m+ri) 
exponentiations and 0(N(M + m)) multiplications in Z p , where N — Mmn. When 
M or m are large the latter complexity dominates. 

We can use techniques for polynomial multiplication to reduce the prover’s compu- 
tation. Consider as an example the computation in round 3, where the prover computes 
M,M m n 

«a= E 

for a = —M , . . . , —1, 1, . . . , M. Define u x = (u m x^ m+1 '> n+0n+1 , 

. . . , Ui mn x l ( m + 1 ') n + mn + n ) and tv = (tty on ■ • • , Wmn)y which allows us to rewrite 
it as 

M,M 

a *= £ u iV J,. 



Observe that a a is the M + a’th coefficient of the polynomial 


p(u>) = 




eZpM- 


The degree of the polynomial is 2 M so if we evaluate it in 2 M + 1 different points 
wi, . . . , UJ 2 M +1 £ we can use polynomial interpolation to recover the coefficients. 
The evaluation of V _ 0 a/it, and J2i ’= o vj, in 2 M + 1 different points can be 

done using 0(N log 2 M) multiplications. If 2M\p — 1 and M is a power of 2 we can 
pick u >\, . . . , u> 2 m as 2M-roots of unity, i.e., uij. M = 1 and use the Fast Fourier Trans- 
form to reduce the cost further down to 0(N log M) multiplications^ Similarly, we can 
compute b- m , . . . , b-i, bi, . . . , b m using 0(N log 2 m) multiplications or 0(N log m) 
multiplications if 2m\p — 1 and m is a power of 2. 


Known values. Sometimes it will be useful to use publicly known values mjk in the ar- 
gument. The trivial way to handle this is to use commitments c Uij = 
com c k{uij \, . . . , Uij n ; 0). Since they use trivial randomness, the verifier can check di- 
rectly that Cu x , . . . , C[j M contain the correct values. A more careful inspection reveals 

3 It takes a while before the assymptotic behaviour kicks in, so for small M it may be better to 
use Toom-Cook related methods for computing the coefficients a_M, ■ ■ ■ , ffliw ■ 
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that some efficiency savings can be made by abandoning the commitments c Uij alto- 
gether. Since the u^k values are public we do not need to hide them, so the prover may 
choose uojk = 0. The verifier can now herself compute the resulting Uk values without 
using the commitments at all. 

A similar analysis reveals that when w^k are known the prover does not need to 
communicate any Cw, or c Wj commitments since the verifier can compute Wk himself. 
In the special case where w^k = 0 this simplifies to fixing u>k = 0. 

3.1 Inner Product Argument 

A slight modification of the batch product argument allows the prover to demonstrate 
instead Yli=i EjLi Efc= i u ijkVijk = Ej=i Efc=i w ijk- The main observation 

is that we can fix x = 1 instead of letting the verifier choose it, in which case equation 
<□> gives us the desired equality. 

The only issue in following this idea is the cross-terms arising from 
uojk, vojk,wojk- We therefore compute , Cy o , Cyy o , c* oo , c£ oo , c! mm giving us com- 
mitments to uojkX,vojkX,wojkX. Since x & Z* these values will still ensure that 
c Uj , c Vj ■ c Wj , Uk . Vk ■ Wk do not leak any information about Uijk,Vijk,Wijk . But since 
they are modified by a random factor x throughout the argument they will not inter- 
fere with the equation YhLi Ej=i ELt u ijkVijk = EyLl ELi w Hk- To get 
perfect completeness, we use two commitments to d\ and d-2 values to cancel out cross- 
terms corresponding to x and x 2 . 

4 Arguments for Circuit Satisfiability 

Using the batch product argument from Section 0 we can give a 7-move SHVZK argu- 
ment for circuit satisfiability. Consider a boolean circuit consisting of N — 1 NAND- 
gates where the prover wants to convince the verifier that there is a satisfying assign- 
ment making the circuit output 1. If the output wire is w, we can add a new variable u 
and add a self-looping gate of the form w = n(tiAn), which can only be satisfied if 
w = 1. The prover now has a circuit with N NAND-gates and no output and wants to 
demonstrate that there is an internally consistent assignment to the wires that respects 
all gates. 

Let us without loss of generality consider a circuit with N = Mmn NAND-gates 
for which the prover wants to demonstrate that there is a consistent assignment. The 
prover enumerates the two inputs and the output of each gate as u^k, Vijk, w^jk ■ The 
task is now to show that the committed values correspond to a satisfying assignment for 
the circuit. 

The prover first shows that all the committed values are either 0 or 1 corresponding 
to truth values. This is done by using batch product arguments to show UijkUijk = 
Uijk,VijkVijk = v ijk and Wij k Wi jk = w ijk , which can only be true if u ijk , v ijk , w ijk G 
{0,1}. 

The prover then uses the homomorphic property of the commitment scheme to com- 
pute commitments to 1 — w^k ■ Using another batch product argument it can show 
UijkVijk = 1 — w^k, which means the committed values respect the NAND-gates. 
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Finally, using a technique from E21 it uses an inner product argument to show that all 
committed values Uijk, Viji- and Wijk corresponding to the same wire xt are consistent 
with each other. We describe this technique in the full circuit satisfiability argument 
below. 

Common reference string: Two-tiered commitment key ck. 

Statement: N = Mmn NAND-gates Xf 2 = -i(o^ 0 A X £ 1 ) over variables X( . 

Prover’s witness: An assigment to {xf} respecting all NAND-gates. 

Argument: Label the inputs and outputs of the gates {uijk ■ Vijk . w^k} k=i ■ 
Pick rij,Sij,tij <— T. p and compute the commitments 

c Uij = com c fc(uyi, . . . ,Uij n -, rij ) Cut = com ^(c Uil 

c Vij = com ck(viji Vij n -, Sij ) Cvi = com*].* (c Vil , 

c Wi:j = com c k(wiji, Wijn, Uj) Cwi = com® (c^ 

Send { Cu. , C Vi , C Wi }ii;i to the verifier. 

Engage in three batch product arguments with statements {Cu t , Cu t , 
{CvijCvijCvi}^ and {CV. , Cw t , Cw t in order to show that 
w ijk € {0, 1}. 

Define ci = com c fc(l, .... 1; 0) and Ci = com]]* (ci , . . . , ci). Engage in a batch 
product proof with statement {Cux , CVi , C\ } 1 ^L 1 to show that the NAND-gates 
are respected. 

There are 3N = 3 Mmn committed values Uijk,Vijk,Wijk . Let us rename them 
{bi}i=i and the corresponding commitments to {Cpf \ |^. The same variable xi 
may appear n/. times in the circuit as 6^ , , b ln . Define tt as the permutation in 
Ssn such that for each variable xg appearing nn times in the circuit the permutation 
makes a complete cycle — > i2 i ne —* i\ corresponding to those 

appearances. 

The prover receives a challenge y from the verifier and defines a* = y l — y w ^ . It 
uses the inner product argument] from Section mi to demonstrate = 0- 

This shows that for random y 

3 N 3 N 3JV 

Y aibi = Yy - y*®) b i = y^ bi - b * - 1 (o) = °- 

With overwhelming probability over y this shows = bi for all i thus proving 
that the values bi and hence the values u^k, Vijk , Wijk are consistent with the wires 

Xi. 

Verification: Verify the 4 batch product proofs and the inner product argument. 

Theorem 2 (Full paper). The argument for circuit satisfiability has perfect complete- 
ness, perfect SHVZK and witness-extended emulation. 

4 The first round of the inner product argument can be run independently of y such that the total 
round complexity remains 7. 
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Arithmetic circuits. Using similar techniques as in the circuit satisfiability argument, 
we can also get an argument for the satisfiability of arithmetic circuits consisting of ad- 
dition and multiplication gates over Z p . The prover commits to the values and uses the 
homomorphic property of the commitment scheme to show that addition gates are re- 
spected and the batch product argument to show that multiplication gates are respected. 
If there are publicly known constants (without loss of generality a multiple of mn) in- 
volved in the circuit, the prover commits to these using randomness 0 so the verifier can 
check directly that they are correct. As in the circuit satisfiability argument the prover 
also demonstrates that the committed values are consistent with the wiring of the arith- 
metic circuit. This gives an arithmetic circuit argument with communication complexity 
0(M + m + n). 

5 Range Arguments 

As a concrete application of our batch product argument we will give a communication- 
efficient range proof. The prover has a commitment c and wants to convince the verifier 
that she knows an opening w, t such that c = com c fc(u;; t) and w £ [A; B). Since the 
commitment is homomorphic, the problem can be simplified to demonstrating that she 
knows an opening of c • com C k{—A; 0) in the range [0: B — A). Let N = |_log(i3 — A) J . 
The prover can construct a commitment c 0 /i = com c / c ( 6; s) and show that it contains 0 
or 1 using standard techniques. By showing that c • com c fc(— A; 0) • c^“ B+2 contains 
a value in the range [0; 2^) she convinces the verifier that w £ [A; B] . 

We can therefore without loss of generality focus on demonstrating that a commit- 
ted value w belongs to the interval [0; 2 N ). We will now give such a range argument 
that only communicates 0(N3 ) elements. The idea is that the prover will commit to 
the bit representation of w. Using a batch product argument the prover can demon- 
strate that the committed bits are 0 or 1. Furthermore, using techniques similar to 
the buildup of Wk in the batch product argument the prover will demonstrate that 
w = Y^i=j J2jLi J2k= l w rik 2 lmn+ i n+k ~ 1 using 0(M + m + n) communication. 
If M = 0( Ni ) , to = 0( Ni ) , n = 0( N i ) the communication complexity is O(Ni) 
elements. 

Common reference string: ck. 

Statement: c?G. 

Prover’s witness: w,t £ Z p such that w £ [0; 2 N ) and c = com c k(w; t). 

Argument: Let fc=i be the bits of w. Pick r,; 7 <— Z p and compute 

= com c k(wiji, . . .,w ijn ;r i} ) C Wi = com %(c Wil ,. . . ,c u , im ) = fj <C"- 

Pick woi,...,wo n <— Z p and ro , s t j <— Z p and compute c Wo = 
com ck (woi, won', ro) and Cd = com c fc(^^ =1 u>ofc2 fc_1 ; sa ). 

Send {Cwi }fti, {c Wj }]Lq an d Cd to the verifier and get a challenge x <— Z* back. 
Compute 

Mm Mm 

W k = XW 0 k + E E w rik2 imn+jn r = xr 0 + E E nj2 imn +on s = SdX + t 
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and send them to the verifier. 

In parallel, engage in a batch product argument with statement! Cw v Cw , , Cw* 
to show that each Wijk satisfies WijkWijk = Wijk, which implies Wijk € {0, 1}. 
Verification: Verify that the batch product argument is valid and 

M m 

= com rt!(c Wl ,...,c Wrn ) c x 0 IT c wJ = com c fc(wi, . . . ,w n ; r) 


c x d c = com c fc ( y Wk 2 fc 1 ;s). 
k = 1 

Theorem 3 (Full paper). The range argument given above has perfect completeness, 

perfect SHVZK and witness-extended emulation. 
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Abstract. Zero-knowledge proofs of knowledge (ZK-PoK) for discrete 
logarithms and related problems are indispensable for practical crypto- 
graphic protocols. Recently, Camenisch, Kiayias, and Yung provided a 
specification language (the CKY-language) for such protocols which al- 
lows for a modular design and protocol analysis: for every zero- knowledge 
proof specified in this language, protocol designers are ensured that there 
exists an efficient protocol which indeed proves the specified statement. 

However, the protocols resulting from their compilation techniques 
only satisfy the classical notion of ZK-PoK, which is not retained are 
when they used as building blocks for higher-level applications or com- 
posed with other protocols. This problem can be tackled by moving to 
the Universal Composability (UC) framework, which guarantees reten- 
tion of security when composing protocols in arbitrary ways. While there 
exist generic transformations from Y-protocols to UC-secure protocols, 
these transformation are often too inefficient for practice. 

In this paper we introduce a specification language akin to the CKY- 
language and a compiler such that the resulting protocols are UC-secure 
and efficient. To this end, we propose an extension of the UC-framework 
addressing the issue that UC-secure zero-knowledge proofs are by defini- 
tion proofs of knowledge, and state a special composition theorem which 
allows one to use the weaker - but more efficient and often sufficient - 
notion of proofs of membership in the UC-framework. We believe that 
our contributions enable the design of practically efficient protocols that 
are UC-secure and thus themselves can be used as building blocks. 

Keywords: UC- Framework, Protocol Design, Zero-Knowledge Proof. 

1 Introduction 

The probably most demanding task when designing a practical cryptographic 

protocol is to define its security properties and then to prove that it indeed 
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satisfies them. For this security analysis it is often assumed that the “world” 
consists only of one instance of the protocol and only of the involved parties, 
rather than of many parties running many instances of the same protocol as well 
as other protocols at the same time. While this approach allows for a relatively 
simple analysis of protocols, it does not properly model reality and therefore 
provides little if any security guarantees. Also, this approach does not allow for 
a modular usage of the protocols, i.e., when a protocol is used as a building block 
for another protocol, the security analysis must be all done from scratch. 

To address these problems, a number of frameworks have been proposed over 
the years, e.g., [1-3]. The so-called Universal Composability (UC) framework 
by Canetti [2] seems to be the most prevalent one. A fundamental result in this 
model is its very strong composition theorem: once a protocol is proved secure in 
this model, it can be used in arbitrary contexts retaining its security properties. 
This allows one to split a protocol into smaller subroutines so that the security of 
each subprotocol can be analyzed separately, making the security of the overall 
protocol much easier. In particular, each (sub-)protocol needs to be analyzed 
only once and for all and does not have to be repeated for each specific context. 

This modularity and the high security guarantees suggest that protocols 
should always be designed and proven secure in the UC-framework. However, 
this is only the case for a small fraction of the proposed cryptographic schemes, 
such as oblivious transfer [4] and encryption- [5,6], and commitment schemes [7]. 
Furthermore, only very few UC-secure protocols are actually deployed in the real 
world, e.g., [8,9]. We believe that one main reason for this is the high computa- 
tional overhead which is often required to achieve UC-security. 

When designing practical cryptographic protocols, efficient zero-knowledge 
proofs of knowledge (ZK-PoK) for discrete logarithms and related problems have 
turned out to be indispensable. On a high level, these are two party protocols 
between a prover and a verifier which allow the former to convince the latter 
that it possesses some secret piece of information, without the verifier being able 
to learn anything about it. This allows protocol designers to enforce one party 
to assure other parties that its actions are consistent with its internal knowledge 
state. The shorthand notation for such proofs, introduced in [10], has been ex- 
tensively used in the past and contributed to the wide employment of ZK-PoK 
in cryptographic design. This notation suggests using, e.g., PK [(a) : y = g a ) to 
denote a proof of the discrete logarithm a = log g y, and it has appeared in many 
works sometimes with quite complex statements, e.g., [11-23]. This informal no- 
tion was recently formalized and refined by Camenisch, Kiayias and Yung who 
have provided a specification language ( CKY-language ) for such protocols [24]. 
The language allows for the modular design and analysis of cryptographic pro- 
tocols: protocol designers just needs to specify the statement the ZK-PoK shall 
prove and, if the specification is in the CKY-language, they are ensured that the 
proof protocol exists and indeed proves the specified statement. 

The realizations given by Camenisch et al. [24] are based on U-protocols and 
satisfy the classical notion of ZK-PoK but not that of UC zero-knowledge. On a 
high level, the problem here is that the classical notion only requires that a valid 
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witness can be extracted from every convincing prover given rewindable access 
to that prover. However, in the UC-framework this has to be possible without 
rewinding. While generic transformations from 17-protocols to UC-ZK protocols 
are known [25], they come along with a significant computational overhead, 
making the resulting protocols impracticable for real-world usage. 

However, the security proofs of many cryptographic protocols only require the 
existence of a witness, and not that the prover actually knows it. Intuitively, this 
should be easier to achieve than proofs of knowledge. Yet, in the UC-framework 
zero-knowledge proofs are always proofs of knowledge. This is because otherwise 
the ideal functionality generally could not decide whether or not a given state- 
ment is true in polynomial time. In this paper we are aiming at closing the gap 
between high security guarantees and modularity on the one hand, and practical 
usability and efficiency of the resulting protocols on the other hand. 

Our Contributions. We first present an exhaustive language and a compiler 
which allow protocol designers to efficiently and modularly specify and obtain 
UC-ZK protocols. We then give an extension of the UC-framework allowing 
protocol designers to also make usage of the more efficient proofs of existence 
(as opposed to proofs of knowledge), which we also incorporate into our language. 
Let us explain this in more detail in the next paragraphs. 

A language for U C-ZK protocols. We provide an intuitive language for speci- 
fying ZK-PoK for discrete logarithms akin to the CKY-language [24] where the 
specification also allows one to assess the complexity of the specified protocol. 
We then provide a compiler which translates these specifications into concrete 
protocols. Even though this compiler is mainly based on existing techniques, it 
offers unified and unambiguous interfaces and semantics for the associated pro- 
tocols for the first time. It thus enables protocol designers to treat specifications 
in our language as black-boxes, while having clearly defined security guarantees. 

Proving existence rather than knowledge. In the UC-framework, all ZK proofs 
are necessarily proofs of knowledge. However, when designing higher-level proto- 
cols, it is often sufficient to prove that some computation was done correctly, but 
not to show that the secret quantities are actually known. To allow protocol de- 
signers to also make use of these more efficient protocols (which are not proofs of 
knowledge any more), we extend our language and provide the necessary frame- 
work to prove UC-security. Loosely speaking, we therefore formulate the gullible 
ZK ideal functionality and provide a special composition theorem which 

allows protocol designers to use existence-proofs “as if they were ideal function- 
alities,” if they are later instantiated as described in our compiler. Roughly, the 
theorem states that proving the correctness of a protocol using P%zk in a slightly 
non-UC-compliant way is sufficient for the protocol where jF g zK is instantiated 
by the real-world protocol to be UC-secure in the standard sense. 

Related Work. The UC-framework has first been introduced by Canetti [2]. 
The notion of /2-protocols was introduced in [25,26], and so far the most effi- 
cient UC-secure zero-knowledge proofs of knowledge have been proposed in [27]. 
Further, [28] analyzes UC-ZK in the presence of global setup [29]. The idea 
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of committed proofs was first mentioned in [30]. We combine the techniques 
of [27, 30] to compile proof specifications in our language to real protocols. In 
particular this allows us to realize proofs of existence. 

A language for specifying ZK-PoK for discrete logarithms was presented by 
Camenisch and Stadler [10] and later refined by Camenisch et al. [24] , but neither 
of their realizations are UC-secure. Our notation is strongly inspired by theirs. In 
fact, our language has already turned out to be very useful to describe ZK-PoK 
in a companion paper [31], and in this paper we fulfill the promises given there. 

Functionalities similar to IF^zk have already been used by Lindell [32,33] and 
Pass and Rosen [34] in different contexts. That is, all this work is on two-party 
protocols which preserve their security guarantees under bounded-concurrent 
self-composition and not on full UC-security. Prabhakaran and Sahai [35, 36] 
also suggest generalizations of the UC-framework in which functionalities can be 
realized that cannot be realized in the plain UC-framework. Their work differs 
from ours in that they leave the standard model of polynomial time computation 
by granting the adversary access to some super-polynomially powerful oracle 
(“imaginary angel”), while our approach works in the standard computational 
model. Furthermore, they suggest generic solutions for ZK-PoK while we are 
aiming at practically efficient protocols. Finally, ideas similar to ours have also 
been suggested in unpublished work by Nielsen [37]. 

Roadmap. After introducing some notation, recapitulating fundamental theory 
and presenting two running examples in '[2] we describe a basic language for 
specifying UC-secure ZK-PoK protocols in detail in : {3] In [|4] we show how 
proofs of existence rather than knowledge can be UC-realized, resulting in much 
more efficient protocols, and extend our language accordingly. In this section we 
further show how such specifications can be compiled to actual protocols. We 
give several extensions to our basic language in f JH] and briefly conclude in 

2 Preliminaries 

Let us introduce some notation first. By s Gr S we denote the uniform random 
choice of some element s in set S. The group of signed quadratic residues [38] 
for some modulus n is denoted by SM„. For two random ensembles, « denotes 
statistical indistinguishability. Finally, two party protocols between parties P and 
V with common input y and private input w to P are written as (P(w), V)(j/). 

We assume that the reader is familiar with the notion of S- and f2- protocols, 
and only give informal definitions here. A protocol (P(iu), V)(y) is called a S- 
protocol [39], if it is an honest verifier ZK-PoK in the non-UC model, consisting 
of three messages being exchanged (a commitment t, a challenge c Gr C = 
{0, l} fc , and a response r), such that the secret w can be computed from any two 
valid protocol transcripts with the same commitment but different challenges. A 
protocol is called an f2 -protocol [25] , if it further takes a common reference string 
cr as additional input, such that when knowing a trapdoor to a it is possible to 
compute the prover’s secret input from any successful run of the protocol. 
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An 17-protocol is said to be f -extractable, if it is not possible to compute w 
from any successful run, but only f(w ) for some function /. In particular, we will 
make use of two types of /-extractable protocols: one the one hand we will use 
f(w i, . . . , w n ) = (u>i, . . . , u’fc) for some k <n, i.e., protocols which only allow to 
extract parts of the witness. On the other hand, we will have f(wi , . . . , w n ) = 
(wi , . . . , w n , A(w \, . . . , w n )), i.e., functions / which in addition to all witnesses 
additionally output some further values depending on these witnesses. These 
constructions will allow for an efficiency speedup compared to using plain 17- 
protocols, while often still ensuring appropriate security guarantees. 


2.1 The UC-Model 

We next briefly recapitulate the Universal Composability (UC) framework [2]. 

A party is a probabilistic polynomial time interactive Turing machine. Each 
party P is uniquely determined by a pair (PIDp,SIDp), where PIDp and SIDp 
are its party ID and its session ID. Two parties share the same session ID if and 
only if they are participants of the same instance of a protocol. Party IDs are 
solely used to distinguish between participants of the same protocol instance. 
Following [31], we assume that session IDs are structured as pathnames. That 
is, for a protocol with session ID SID, the session ID of any of its subprotocols 
is given by SID/subsession, where subsession is a unique local identifier, con- 
taining the party IDs of all participating parties and shared public parameters. 

The main concept of the UC framework is that of UC-emulation. Loosely 
speaking, a protocol p UC-emulates some protocol <p, if p does not affect the 
security of anything else than <p would have, no matter how many other instances 
of p or other protocols are executed concurrently. This implies that p can safely 
be used on behalf of (f) without compromising security. The most interesting 
case is where <p is some ideal functionality T, which can be thought of as an 
incorruptible trusted party that takes inputs from all parties, performs some 
local computations, and hands back outputs to the parties. Ideal functionalities 
can be seen as formal specifications of cryptographic tasks and are secure by 
definition. Now, if p UC-emulates T, one can infer that p does not leak any other 
information to an adversary than T would have, and therefore securely realizes 
the given task in arbitrary contexts. For a more precise description see [2]. 

Protocols using an ideal functionality T as a subroutine are called T-hybrid. 
If not stated otherwise, all protocols we are going to present are T/ch-hybrid 
protocols, where T/ch is an ideal functionality realizing authenticated (but not 
necessarily private) channels. The functionality takes as input a message x from 
some a sender, and forwards it to a receiver. The adversary learns x, and, upon 
corruption of the sender, is allowed to change it before it is delivered. 

The corruption model underlying our discussion is adaptive corruptions with 
erasures. This can be seen as a bit of a compromise: while only considering 
static corruptions would not properly reflect reality, assuming secure data era- 
sures is necessary to obtain efficient protocols in this setting. However, even if 
implementing erasures might be difficult, it is not impossible. 
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The zero-knowledge functionality 

1. Wait for an input (prove, y, w) from P such that (y, w) £ R i[ P is honest, or 
(■ y , w) £ R' if P is corrupt. Send (prove, £(y)) to A. Further wait for a message 
ready from V, and send ready to A. 

2. Wait for a message lock from A. 

3. Upon receiving a message done from A, send done to P. Further wait for an 
input proof from A and send (proof, y) to V . 

Corruption rules: 

> If P gets corrupted after sending (prove, y, w) and before Step 2, A is given 
(y. w) and is allowed to change this value to any value (y',w') £ R' at any 
time before Step 2. 

Fig. 1 . The basic zero-knowledge functionality TyA ■ parametrized by two binary 
relations R , R' such that R' D R [31] 


The Basic UC-ZK Ideal Functionality. In the following we discuss the 
basic ideal zero- knowledge functionality, which is formally specified in Figured] 
It is parametrized by two binary relations, R and R! , which have the following 
meaning: the relation R specifies the set of inputs (y, w) the functionality accepts 
from an honest prover. For such inputs, the functionality informs the verifier that 
the prover knows a witness for y, while an adversary does not learn w. Yet, if the 
prover is corrupted, it is allowed to supply inputs from a binary relation R 1 2 R, 
in which case the ZK property does not have to be satisfied any more. 

The relation R might itself be parametrized by system parameters, specifying, 
e.g., the concrete groups being used. We will model all such parameters as public 
coin parameters, i.e., the environment might know the random coins being used 
to generate the system parameters. This is helpful if the same parameters are 
used in other protocols as well, e.g., to sign messages. 

The functionality defined in Figure [T] differs from the standard one found in 
the literature in two ways. Firstly, we delay revealing the claimed statement y to 
V and A until the last possible moment, and only give £(y) to the adversary in 
the first step, where i is a leakage function, which roughly gives some information 
about the “size and shape” of y to A (to be precise, £() is a parameter of Rzk 
as well which will be disregarded in the remaining discussion). This approach 
prevents the simulator from being over-committed in our constructions, and to 
the best of our knowledge can safely be used instead of the standard UC- 

ZK functionality in any application. Secondly, we allow corrupt parties to supply 
witnesses from a larger set than honest parties. This relaxation stems from the 
soundness gap of most known efficient constructions for ZK-PoK for discrete 
logarithms in the non-UC case [40] (which are underlying the constructions for 
UC-ZK protocols): there, the verifier can only infer that the prover knows a 
witness w such that (y, w) £ R', whereas an honest prover is ensured that for 
(y, w) £ R the verifier cannot learn the secret. We further elaborate on this in <jTT] 

The same formalization of the ZK functionality was also used in [31] . 


A Framework for Practical Universally Composable (ZK-PoK) 455 


2.2 Running Examples 

We next introduce two running examples, which we are going to use throughout 
the discussion to illustrate our techniques. 

Example 2.1 (Running Example 1). Let be given an integer commitment y G 
SK„ for some safe RSA modulus n. Let further be given two generators g. h of 
§M„. In this example, a prover is interested in proving knowledge of integers ui, p 
such that y = g u h p and w > 0. □ 

Numerous practically relevant applications require such proof goals as basic 
building blocks for more complex protocols, e.g., [14,16]. 

Example 2.2 (Running Example 2). Let be given a cyclic group H of prime order 
q, and two generators, g, h of H. Let further be given a triple (iti , it 2 , e) G 7d 3 , and 
let one be interested in proving that (ui,U2, e) is a valid encryption of g a G H for 
some a £ Z q known to the prover under the semantically secure version of the 
Cramer-Shoup cryptosystem [30,41]. That is, the task is to prove that (ui, u- 2 , e) 
is of the form ( g p , h p , g a c p ) for a publicly known c G H. □ 

This example stems from [31], where such proofs are repeatedly needed in the 
context of credential-authenticated key-exchange and identification protocols. 

3 A Language for Specifying UC-ZK Protocols 

As shown in [42], any ideal functionality can be UC-realized given only function- 
alities realizing commitments and ZK proofs, respectively. This result suggests 
that ZK proofs are important building blocks of higher-level applications, and 
will thus often be deployed when UC-realizing cryptographic tasks. 

Taking this as a motivation, we describe an intuitive language for specifying 
universally composable zero-knowledge protocols. The language is strongly in- 
spired by the standard notation for describing ZK-PoK in the non-UC case which 
was introduced in [10]. We stress that similar to there, our notation does not 
only specify proof goals (i.e., what one wants to prove), but concrete protocols. 
Especially for our results given in [J4] this unambiguity is important. 

We start by describing a basic language, which allows one to specify arbitrary 
Boolean combinations of protocols proving knowledge of discrete logarithms (or 
representations) in arbitrary groups. In many cases the complexity of the result- 
ing protocol can be inferred directly from the proof specification. 

A protocol proving knowledge of integers uq , . . . , satisfying a predicate 
i , . . . , ui n ) is denoted as follows: 

>lwi e T*(m Wl ), ■ ■ ■ ,u) n £l*(m Un ) : <j>(wi, . . . ,cu„) . (1) 

Here, each witness oq belongs to some integer domain 1* (m UJi ) . The predicate 
, . . . , oj n ) is a Boolean formula containing ANDs (A) and ORs (V), built 
from atomic predicates of the following form: 

y = f[g^ 1 ““ ) . 
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The g-i and y are elements of some commutative group, and the F* are integer 
polynomials, i.e., F* G Z[Ad, . . . , X v ] . Similar to [10], we make the convention 
that values of which knowledge has to be proved are denoted by Greek letters, 
whereas all other quantities are assumed to be publicly known. 

We next discuss the single components of our basic language in more detail. 

Groups. Different atomic predicates may use different groups. Besides effi- 
ciently evaluable group operations we only require that group elements are effi- 
ciently recognizable, and that the group order does not contain any small prime 
divisors, where “small” can be seen as an implementation dependent parame- 
ter which typically will have 160 — 256 bits. In particular, we do not make any 
intractability assumption for the groups. 

We stress that the group of quadratic residues modulo a safe RSA modulus n 
(i.e., n = pq, where p,q , £ ^-, are prime, denoted by QM n ) does not satisfy 

the above requirements, as group membership cannot be efficiently verified. We 
recommend using the group of signed quadratic residues instead [38]. 

Predicates. We allow predicates to be arbitrary combinations of atomic pred- 
icates by the Boolean connectives AND and OR. Also, witnesses may be reused 
across different atomic predicates. 

Domains. We allow the secret values uq, . . . , u n to be arbitrary integers. How- 
ever, for implementation issues, for each i an integer m UJi satisfying 

uJi G l(m Ui ) := {l £ Z : — m Wi < l < m Ui } 

is required. The value of m Ui can be chosen arbitrarily large, and is only needed 
for the protocols resulting from the construction in 11 . 1 1 to be statistically zero- 
knowledge for any G X(m Wi ). They then guarantee that the prover knows 
witnesses in a larger interval, i.e., they prove knowledge of witnesses to* satisfying 

ui* G 1 *(m Ui ) := {l G Z : —tm Ui < l < tm Ui }, 

where t is an implementation dependent parameter, which usually will have 
about 160—256 bits and which is independent of the groups used in the predicate. 
In particular, T*(m Ui ) is thus uniquely defined even if ui t is used across different 
atomic predicates. More precisely, we have t « 2 k+l +2 k — 1, where 2~ k is the 
success probability of a malicious prover, and l is a security parameter controlling 
the tightness of the statistical ZK property of the protocol. 

Formally, the gap between l(m Ui ) and J* (m Wi ) is modeled by allowing corrupt 
provers to hand in values satisfying a relation R' D R to the ideal functionality, 
whereas honest parties have to supply values in R, cf. Thll 

As a special case, we allow to define X*(m Wi ) = T(m Ui ) = Z g , if ( i ) the secret 
uii only occurs in atomic predicates for which the order of the group is known, 
and (it) the integer q is a common multiple of all these group orders. This slightly 
increases the efficiency of the resulting protocols because of shorter exponents 
in the modular exponentiations in the protocol. 
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Induced Relation. Each proof specification spec of the form induces two 
binary relations, R = R( spec) C i?'(spec) = R', and a protocol 7r = 7r(spec), 
cf. 114.11 The protocol 7r then UC-emulates , i.e., it is zero-knowledge for 
(y, w) £ R, and guaranteed the verifier that the prover supplied ( y',w ') £ R! . 

Let us now illustrate our basic language by means of our two running examples. 

Example 3.1 (Running Example 1). We start by resolving the condition lv > 0 
into the form (HJ) by rewriting it to w = JT=i Xi [43] . Let lv be an element of 
[— T, T], i.e., m u = T. Then, clearly, we have that rn Xi = \ VT\ for all i. Also, 
for y to be blinding, we can assume that m p = (n/A\ . 

The proof goal is thus given by: 

>lpe27 f (Ln/4j),te)t 1 6X*(LVTJ) : y = g xl+xl+xl+^. h P . □ 

Example 3.2 (Running Example 2). In this case, all secret values are elements of 
Z g , where q is the order of H. We therefore get the following proof specification: 

}\a,p£ h q : Mi = g p A tt 2 = h p A e = g a c p . 

In particular note that the requirement that ord7 i. does not have small prime 
divisors is satisfied as q was assumed to be prime, cf. Example 12.11 □ 

4 Proving Existence Rather Than Knowledge 

Realizing ZK-PoK in the UC-framework is a computationally expensive task. On 
a high level this is because the simulator needs to be able to extract the secret 
witness without rewinding, and the most efficient currently known way to achieve 
this is to include Paillier encryptions of the witnesses into the proof. Now, in 
larger protocols, ZK-PoK are often only used to ensure that a computation was 
done correctly, and the simulators of these higher-level protocols do not make 
usage of the witnesses. For instance, in Example 12.21 proving the existence of p 
is sufficient to imply the required well-formedness of the ciphertext. 

Thus, often a functionality realizing the following steps would be sufficient: 

1. Wait for an input (prove, y, w) from P such that there is a w satisfying 
( y , w) £ R and f(w) = w, and send (prove, t(y)) to A. Further wait for a 
message ready from V, and send ready to A. 

2. Wait for a message lock from A. 

3. Upon receiving a message done from A, send done to P. Further wait for an 
input proof from A and send (proof, y) to V. 

That is, one is aiming for a functionality which checks whether the prover knows 
some (partial) information w = f(ui ) for a full witness u>, and informs the verifier 
if this is the case. However, the problem is that by definition any zero-knowledge 
proof in the UC-Framework is always a proof of knowledge. This is, because in 
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general the existence of w cannot be checked efficiently, and thus the witness 
has to be given as an input for the functionality to be able to check whether the 
statement is true. We now propose a framework that circumvents this problem 
and allows one to use proofs of existence in the UC-model. 

We extend our basic language by the additional 3 -quantifier. For secrets quan- 
tified under 3 (instead of » ) only their existence (instead of their knowledge) 
is proved. A generalized specification of a proof goal now looks as follows: 

M {Wj eI*K)}" =1 : 3 { Xi €2*(m x .)} 5 W =1 : (2) 

In the following we show how such specifications are compiled into protocols, 
and then describe the underlying theory and composition theorem which allow 
to use such specifications as modular building blocks in larger protocols. 

4.1 Compiling Specifications to Protocols 

Due to space limitations we here only give a brief overview about how protocol 
specifications are compiled into protocols. For a detailed description we refer to 
the full version of this paper [44]. 

> First, the proof specification is rewritten to a predicate which only contains 
atomic predicates having homogeneous linear relations in their exponents. 
This can be done by applying standard techniques [40,43,45-48]. 

> In a second step, the prover computes integer commitments t)i to all secret 
witnesses Ui quantified by >1 . 

> Next, using the technique proposed in [40], each conjunctive term in the 
specification (i.e., each subformula of <t> not containing any OR connectives) 
is translated into a 17-protocol which additionally proves that the witnesses 
being used are the same as in the ru. 

> Now, the different 17-protocols are combined by the Boolean connectives as 
specified by the predicate 4> [48,49]. 

> As a fifth step, the 17-protocol is transformed into an 17-protocol [25, 26] . 
This is achieved by Paillier-encrypting the witnesses quantified by >1 [50], 
and proving that the encrypted witnesses are the same as in the t)j. 

> Using a simulation sound trapdoor commitment [27] and the committed- 
proof idea of [30], one finally obtains a protocol UC-emulating . 

Theorem 4.1. Let spec be a proof specification of the form (7]l. and let R = 
R( spec), R' = R'{ spec), and 7 r = 7r(spec). Then n UC-realizes with 

respect to adaptive corruptions, assuming that securely erasing data is possible. 
If this is not the case, it still UC-realizes with respect to static corruptions. 

The proof of this theorem is a straightforward adaption of that in [27] and is 
omitted due to space limitations. 

Let us discuss the potential speed-up and the semantical consequences coming 
along with the usage of the 3 -quantifier by means of our two running examples. 
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Example 4-2 (Running Example 1). For being able to see the speed-up, we first 
have to resolve the polynomial relation of Example Id. II Using the technique 
from [43], we obtain the following equivalent proof specification: 

6^(Ln/4j),{ Xi }f =1 G2*{LVTJ),// eX*CC4:^J+l)Ln/4j) : 

A Vi = s XihPi A y = yi x yfy3 3 y > th p ' 

i=l 

Keeping in mind that the XiiPi and p' can be computed efficiently from u),p 
using Lagrange’s Four Square Theorem and the Rabin-Shallit algorithm [51], it 
is easy to see that this specification is semantically equivalent to the following: 

y\u> gt* (t) ,p&x*( L n /4J ) : 3{ Pi }t 1 eT*(Ln/4j),{ Xi }t 1 er(LVTj), 
p' e T{(A\Vr\ + 1) |n/4J) : y = g u h p A f\yi = g Xi h Pi A y = y Xi h p 

This rewriting yields a significant efficiency speedup, as only Paillier encryptions 
for 2 instead of 9 values are required. Overall, the prover (verifier) thus saves 14 
(7) Paillier encryptions and evaluations of the integer commitment scheme. □ 

In this example, changing from the >1 - to the 3 -quantifier is a purely syn- 
tactical step, which increases the efficiency of the protocol. This can be seen by 
considering the underlying -O-protocol as /-extractable, where f(w) = (w, A (w)) 
and A is the algorithm of [51]. However, in general it is not possible to efficiently 
compute the witnesses quantified by 3 , and even their existence cannot be ver- 
ified efficiently, as is illustrated by the following example. 

Example 4-3 (Running Example 2). The following specification is sufficient for 
proving the required well-formedness of the ciphertext: 

>\a GZ q : 3 p eZ q : m = g p A U 2 = h p A e = g a c p . 

This observation reduces the complexity of the prover’s algorithms in the proto- 
col by 2 Paillier encryptions and 2 evaluations of the integer commitment scheme 
(one each for their computation and their commitment in the T'-protocol) . □ 

Here, the underlying 12-protocol is /-extractable, where / is of the form 
f{wi , . . . , w n ) = (w \ , . . . , vjk) for k < n, such that the remaining Wi cannot 
be computed. This implies that in general it is not possible to construct an ideal 
functionality which captures the semantics of an expression such as ([2), as it 
would have to run in probabilistic polynomial time by definition [2]. 

4.2 The Gullible ZK Functionality and a Composition Theorem 

In the following we describe the theoretical framework which allows protocols 
designers to treat specifications containing values quantified by 3 (almost) as if 
they were quantified by >1 . 
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The gullible zero-knowledge functionality •^gZK 

1. Wait for an input (prove, y, (w, x)) from P and send (prove, £(y)) to A. Further 
wait for a message ready from V, and send ready to A. 

2. Wait for a message lock from A. 

3. Upon receiving a message done from A, send done to P. Further wait for an 
input proof from A and send (proof, y) to V . 

Corruption rules: 

> If P gets corrupted after sending (prove, y. (w. x)) and before Step 2, A is 
given (y, (w, _L)) and is allowed to change this value at any time before Step 2. 

Fig. 2. The gullible zero-knowledge functionality •^gZK always informs the verifier that 
the proof was correct 


The gullible zero-knowledge functionality expects the prover to supply 

an image y and a pair ( w,x ) as inputs, and always informs the verifier that 
(■ y , (w,x)) e R', no matter whether this is the case or not, cf. Figured! For an 
honest prover, w will be the part of the witness for which knowledge has to be 
proved, whereas x is the part for which only existence has to be proved. Upon 
corruption of the prover, the adversary only learns y and w, but not x. This is 
to model the intuitive goal of proofs of existence appropriately. 

Our special composition theorem guarantees that K UC-emulates some 

other protocol <f>, if p UC-emulates <fi with respect to a certain type of environ- 
ments, called nice environments, which we define next. On a high level, these are 
environments which (almost) never ask the dummy adversary to send incorrect 
inputs to the gullible zero-knowledge functionality: 

Definition 4.4. Let A* be the dummy adversary attacking some R^k -hybrid 
protocol p. We call an environment Z nice (with respect to p), if the statements 
it requires A* to send to R^^ acting as a prover are true with overwhelm- 
ing probability. That is, with overwhelming probability Z asks A* to send pairs 
(■ y , (w, x)) to R ^£ k ? for which there is an w satisfying (y, w) £ R and f(ui ) = w. 

Note that the value of x submitted by a nice environment is not restricted by 
this definition, but only w has to be a valid partial witness. 

We now define UC-emulation with respect to nice environments: 

Definition 4.5. Let p be an R^k -hybrid protocol. We say that p UC-emulates 
a protocol (f> with respect to the dummy adversary A* and nice environments 
(w.r.t. p), if there is an efficient simulators such that no nice environment can 
distinguish whether it is interacting with p and A* or with (j) and S. That is, for 
every nice environment Z it holds that EXEC(p, A*,Z) « EXEC (cj),S,Z). 

Here, EXEC (p,A,Z) denotes the random variable given by the output of Z 
when interacting with p and A, and analogously for EXEC (cj),S,Z). 
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Fig. 3. Illustration of Theorem 14.61 for proving that zk UC-emulates <j > , it is 
sufficient to show that p emulates <p for nice environments 


Note that any non-nice environment could potentially distinguish between p 
and (j> by just submitting a false statement, which will always be accepted by 
*^gZK • Informally, our special composition theorem now states that every non- 
nice environment can be detected if is instantiated by n as described in 

the previous section, and thus p 7r /- ? g zk i s secure against arbitrary environments. 
This allows a protocol designer to use ZK proofs of existence in a UC-compliant 
way, almost as if they were ZK-PoK. The theorem is illustrated in Figure [3j 

Theorem 4.6. Let spec be a proof specification of the form iQJi. and let R = 
R( spec), R' = R'( spec), and tt = 7r(spec). Let further p be an -hybrid 
protocol, such that p UC-emulates a protocol <p with respect to the dummy adver- 
sary and nice environments, and let p, (f be subroutine respecting. Then s ZK 
UC-emulates (f (in the standard sense) with respect to adaptive corruptions if 
securely erasing data is possible. 

Proof (Sketch). We omit a full proof here, and only give the underlying intuition. 
Let therefore S be the simulator for nice environments, which exists by assump- 
tion. We have to show that there exists an efficient simulator S such that for arbi- 
trary environments Z we have that EXEC(p 7r,/:F sZK .A*,Z) w EXEC(<T S, Z). 

The idea is that S runs a copy of S and one of A* internally, and all messages 
sent to or received from Z are routed through the simulated A*. In general, all 
communication is further forwarded to S, and S outputs whatever S does. The 
only exception is made when encountering a call to ir between two parties, P 
and V. In this case <S internally executes the protocol on the given inputs and 
behaves as follows (independent of the corruption state of the parties): 

> If the run is successful, then with overwhelming probability the input was 
correct (i.e., Z “behaved nicely”), as the underlying U-protocol is an interac- 
tive proof system [52] . Thus, S proceeds like the simulator for Theorem 14.11 
cf. [30] and [27], expect for the following difference: secret values quantified 
by 3 are given to the attacker in the real protocol 7r, but not in the ideal 
functionality P k zk- This can be simulated because of the committed proof 
technique by choosing these secrets at random within their domains when- 
ever necessary. Then, S computes the corresponding image y' and opens the 
commitment made in its first message accordingly. As in [27], this is possi- 
ble because of the trapdoor property of the used commitment scheme. Note 
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here that these values are deleted before sending out the final message, so 
the simulator never has to supply them after the adversary learned y. 

> If however the run of 7r is not successful, the given input was incorrect. In 

this case, S behaves as S in the case that no proof-message had been sent 
by the attacker. □ 

The theorem can be applied as follows by a protocol designer: He first designs 
a high-level protocol using proofs of existence as if there was a corresponding 
ideal functionality. Then, in the security proof, he shows that the protocol using 
■^gZK UC-emulates a target functionality <p, where he may restrict himself to 
nice environments only. Finally, after instantiating by 7r(spec), he obtains 

a protocol emulating <j> in the full UC-sense. 

5 Enhancing the Basic Language 

Even if the basic language presented in fallows one to describe almost arbitrary 
algebraic properties of and relations among the secret values, it might often 
be more convenient to declare them explicitly. Also, the requirement that all 
witnesses must be integers may seem overly restrictive. 

To solve this problems, we next give some enhancements of our basic language. 
More precisely, we will first define a set of macros for specifying algebraic prop- 
erties of the secret witnesses, and then give conditions under which knowledge 
of group elements can be proved instead of integers. 

5.1 Using Macros to Specify Algebraic Properties of Witnesses 

The language described in [J2] does not allow to directly specify algebraic prop- 
erties of the secrets or algebraic relations among them, and thus it becomes 
inconvenient to use for complex proof goals. We therefore extend the set of 
atomic predicates by so-called macros , which allow one to directly describe al- 
gebraic properties of the integer witnesses u In particular, we allow additional 
atomic predicates of the following forms, all of which can easily be translated 
into polynomial relations: 

> u> > 0. Such statements can easily be translated into statements of the above 
form by proving knowledge of integers Xi, ■ • ■ , X 4 such that uj = JA=i X? > 
see [43]. 

More generally, we also allow expressions of the form ui £ [a, b], where a, b £ Z 
are public. Such an expression is equivalent to w - a > 0 A i - u > 0. If 
b — a is even, this can be rewritten to the even more efficient proof goal 
— (u> — m) 2 > d 2 , where m = and d = 

> gcd(kq, v> 2 ) — 1, where each v\,v 2 can be either public or private. As be- 
fore, such expressions can be rewritten to a polynomial form by introducing 
additional integers oi\,a 2 and proving knowledge of cq , a 2 . u \ , v 2 such that 
aiui + a 2 v 2 = 1. 
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> i'll 1 ^ 2 , where V\,V 2 can be either public or private. By introducing an ad- 
ditional secret 6, such relations can be expressed in polynomial form as 
8v i — U 2 = 0. 

Example 5. 1 (Running Example 1 ). Using the first of our specific macros, a pro- 
tocol for proving knowledge of a non-negative opening of the integer commitment 
y can be described as follows: 

Mw € l*(T),peT([n/4\) : y = g u h p A u > 0 □ 

Before moving to the next extension of our basic language, we point out 
that using macros impedes the possibility of estimating the computational costs 
of the protocol from its specification, which was a favorable property of our 
basic language. This can be seen by comparing Example 15. II to Example 13. II the 
seemingly simple macro w > 0 entails 5 atomic predicates, and 9 secret witnesses, 
and thus conceals very much of the computational costs of the resulting protocol. 

As an important remark we note that every auxiliary variables Xh which has 
to be introduced when resolving any of these macros, can be quantified by 3 . 
This can easily be seen by noting that considering the resulting 17-protocol as 
/-extractable for f(w) = (w,A(w)), where A is the algorithm the honest prover 
used to compute the x* from u. 

5.2 Proving Knowledge of Group Elements 

Sometimes it is required to prove knowledge of group elements instead of integers, 
which is not possible in our basic language. For instance, one might be interested 
in proving possession of a digital signature on a given message, which, in the 
case of CL-signatures [53] , essentially boils down to proving knowledge of a group 
element w such that e(oj, z) = y, where e is a bilinear map, and y, z are publicly 
known. 

We thus also allow one to specify protocols proving knowledge of a preimage 
u G G under some group homomorphism %/} : Q — > H, if ip satisfies two basic 
properties: (*) the finite group Q comes along with a generator g and an upper 
bound B on its order, and (ii) the discrete logarithm problem is hard in ~H. Then 
expressions of the following form, which, of course, can arbitrarily be combined 
with expressions of the basic language, may be used: 

y\u> GO : y = i>(u) . 

When compiling protocol specifications containing such expressions, one first 
has to perform the following steps, and then proceeds as in 34. II The idea of the 
construction is to first blind the secret preimage u using g, and then to prove 
knowledge of the blinding: 

1. Set m' = 2 l 2 3 B, where l is a security parameter. 

2. Choose u / Gr 2(m'), and set u = g w w, y' = t!)(u)y l , and g' = ip(g). 

3. Rewrite the proof goal to >la/ G I*(m') : y’ = g’ UJ , and add u to commit- 
ment of the U-protocol. 


464 J. Camenisch, S. Krenn, and V. Shoup 


6 Conclusion 

We presented a framework enabling the use of efficient zero-knowledge protocols 
in the construction of UC-secure protocols. These protocols can be specified in 
a unified and unambiguous notation and then generated by a compiler. To make 
proving security of construction that make use proof of existence protocols easy, 
we provide a special composition theorem. By means of two running examples we 
illustrated that using proofs of existence (as opposed to proofs of knowledge) can 
significantly reduce the computational overhead required to achieve UC-security 
for many practical applications without affecting security. 

We believe that by reducing the costs of UCZK protocols to a practically 
acceptable level in many cases our result can contribute to a wider employment 
of UC-secure protocols in the real world. 
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Abstract. We present the first provably secure constructions of univer- 
sally composable (UC) commitments (in pairing- friendly groups) that 
simultaneously combine the key properties of being non-interactive , sup- 
porting commitments to strings (instead of bits only), and offering re- 
usability of the common reference string for multiple commitments. Our 
schemes are also adaptively secure assuming reliable erasures. 

1 Introduction 

UC-security. Cryptographic protocols being proven secure in the Universal 
Composability (UC) framework j^j bring several fundamental benefits compared 
to protocols for which only stand-alone proofs of security exist. A widely rec- 
ognized advantage is that executions of UC-secure protocols remain secure in 
arbitrary, possibly malicious environments — essentially what one should ex- 
pect from security protocols deployed in the real world. UC protocols do not 
receive much attention from practitioners, who in addition to security take many 
other factors into account such as efficiency and robustness, especially when it 
comes to protocols that require network communication. In this work we focus 
of universally composable commitment schemes 0 that are useful for various 
distributed applications. 

UC commitments and their properties. In general commitment schemes 
are cryptographic protocols that proceed in two phases: In the commit phase 
the sender computes a commitment c to some message m and communicates c 
to the receiver; in the open phase the sender discloses the message m together 
with some proof d to provide assurance that m was indeed used in the commit 
phase. Typically, commitment schemes serve as building blocks in higher level 
applications, which is why striving for UC-security of these schemes is worth- 
while. It is known that UC commitments imply key exchange and more general 
forms of secure two- and multi-party computation fflfTZ; . Unfortunately, secu- 
rity of commitment schemes under universal composition cannot be obtained 
without additional setup assumptions. A detailed explanation of the underlying 
simulation problem and work-around has been given in the seminal work by 
Canetti and Fischlin jSj, who also showed that the UC-security of commitments 
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prevents their malleability, which is critical to many anticipated applications of 
these schemes. Since |Hj, one of the most basic and widely used setup assump- 
tions is the Common Reference String (CRS) model, which is also used in our 
work. Note that alternative constructions of UC commitments appeal to stronger 
setup assumptions like random oracles jl Kj or hardware tokens m ■ In addition 
to setup assumptions prior work has identified several key properties, based on 
which UC commitment schemes are often compared. These properties (which we 
list below) may serve as “quality criteria” for UC commitments since they shed 
light on the security and potential practicality of the schemes. 

Efficiency. Several factors contribute to the overall efficiency of a UC com- 
mitment scheme. In particular, its communication complexity measures the to- 
tal amount of bits (often in dependency on the security parameter) that are 
transmitted between the sender and the receiver during the both phases of the 
protocol. These costs also include the actual commitment length, i.e., number 
of bits that receiver would have to store until the open phase. The computa- 
tional complexity of a commitment schemes indicates the total amount of work 
performed by participants and is often given in form of costly public-key oper- 
ations (e.g. modular exponentiations). Earlier UC commitments, e.g. [HP . were 
bit commitments and required l executions of the basic protocol to commit to an 
l - bit string. This results usually in a commitment length of 0(1 ■ A), whereas the 
length should ideally be 0 ( A) oiilyQ Modern UC schemes, such as f Kill 21612 212 01 . 
are more efficient in that they can be used to commit to 1-bit strings directly 
without incurring an expansion factor proportional to the security parameter. 
Another efficiency indicator of UC commitments in the CRS model is the length 
of the CRS, which should ideally remain independent of the number of possible 
users. Note that this latter property is satisfied by many UC schemes today, 
e.g. \£Mm- 


CRS re-usability. UC commitments in the CRS model assume trusted gen- 
eration of the CRS parameters. Of practical relevance is the question of whether 
these parameters are re-usable across polynomially many executions of the com- 
mitment protocol or whether they need to be set up for each new commit phase. 
Clearly, re-usability of CRS parameters is desirable in practice, where setting 
up these parameters anew for each commitment operation may not always be 
possible. Note that CRS re-usability is provided by many existing UC schemes, 
e.g. f Kill 215120] . though the CRS length in is not constant. 

Interaction. Another important property of a UC commitment scheme is 
whether its phases require interaction between the sender and the receiver. Ide- 
ally, UC commitment should be non-interactive, meaning that each phase should 

1 Due to the so-called extraction property of UC commitments |B| a commitment needs 
to somewhat contain the entire message, stipulating that the commitment itself is 
at least as large as the message. Hence, demanding a length O(A) usually requires 
t< A. 
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contain at most one message sent by the sender towards the silent receiver. Such 
property is, for example, inherent to many regular (non-UC) commitments, e.g. 
m \ Interactivity may increase the communication complexity by several fac- 
tors, since in addition to the actual commitment length the amount of bits 
communicated during the interactive phases would have to be counted as well. 
For example, the two most recent interactive commitments by Lindell m have 
commitment lengths of only 4 resp. 6 group elements, while their total commu- 
nication complexity amounts to 14 resp. 19 group elements (we remark that for 
concrete choices of parameters m still remains very efficient in this respect). 

The actual advantage of non-interactive UC commitments from the practical 
point of view is resistance to denial of service attacks: Within an interactive 
phase (commit or open) parties maintain a state between the communication 
rounds. It is thus possible for an adversary (malicious sender /receiver or man- 
in-the-middle), by sending incorrectly formed messages during the interaction 
rounds, to lure parties into wasting their (computational) resources — some- 
thing which does not happen in the non-interactive case. Note that, even if no 
adversary is present, interaction between the sender and the receiver may still 
be endangered by faults. Earlier UC bit commitments |bl!)j were non-interactive. 
However, in the more desirable case of UC string commitments, the only known 
non-interactive scheme is due to Nishimaki et al. However, m does not al- 
low CRS re-usability, which arguably diminishes the advantage gained through 
its non-interactivity. Other existing UC string commitments, e.g. | Kill 21.11301 . 
are all interactive, either in the commit or in the open phase. 

UC commitments that have acceptably low computation and communication 
costs, allow CRS re-usability, and do not require any interaction between the 
sender and the receiver would already be ideal from the practical point of view. 
In addition to these properties there are further desirable properties which should 
also be assessed concerning their impact on their relevance in practice. 

Adaptive security. A typical question asked about UC-secure protocols is 
whether security is proven against static or adaptive adversaries. A static ad- 
versary can corrupt protocol participants at the outset of the protocol only. In 
case of UC commitments such corruptions would be allowed only prior to the 
execution of the commit phase, even before the CRS is generated. Since com- 
mitments always have two phases with the open phase being executed after the 
commit phase, it appears unrealistic to exclude corruptions between the two 
phases. Hence, adaptive UC-security, where the adversary can corrupt partici- 
pants at any point in time, revealing all their secrets (including randomness being 
used), appears of higher practical relevance. We observe that some of known UC 
commitments are adaptively secure, e.g. fSIDIl 21ftf2n| . 

Secure ERASURES. Another property inherent to the UC-security of commit- 
ment schemes is whether they rely on the additional assumption that secrets can 
be securely erased. This assumption is often used in combination with adaptive 
security where secrets used in the commit phase that are no longer needed for 
the open phase are erased to allow simulation in case of later corruptions. Al- 
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though secure erasures could be realized in practice, it is still desirable for a UC 
commitment scheme to avoid them. We observe that most adaptively secure UC 
commitments require secure erasures, the only exception (in addition to less effi- 
cient bit commitments from |HE|) where adaptivity is achieved without erasures 
is the interactive string commitment by Damgard and Groth 112 - 

Hardness assumptions. Last but not least, in addition to an inevitable setup 
assumption (e.g. CRS) and possible reliance on secure erasures, UC-security 
of commitments is typically based on further hardness assumptions. These are 
either general assumptions such as existence of trapdoor permutations as in 
jSIDj or more concrete number-theoretic assumptions, which are more likely to 
give rise to efficient schemes. For example, UC commitments by Damgard and 
Nielsen [E| rely on p-subgroup (23 or Decision Composite Residuosity (DCR) as- 
sumption m The DCR assumption has also been used in the UC commitments 
by Damgard and Groth (T21 (together with Strong RSA (SRSA) assumption), by 
Camenisch and Shoup |S|, and by Nishimaki et al. m The recent UC commit- 
ments by Lindell m rely on the more established Decision Diffie-Hellman (DDH) 
assumption, which has also been used in one of the bit commitment schemes by 
Canetti and Fischlin (HJ and in a particular instantiation of Nishimaki et al.’s 
scheme 12 2 with El-Gamal based matrix encryption of Peikert and Waters EH 
(those communication complexity is asymptotically comparable to that of a bit 
commitment scheme though). 

The current state of affairs is that none of the existing CRS-based UC-secure 
string commitment schemes fulfills all of the above mentioned “quality criteria” . 


1.1 Our Results and Comparison to Prior Work 

Results. We propose the first UC-secure string commitment schemes in the 
(standard) CRS model with the so far unique combination of key properties: 
Our schemes have constant costs (i.e., independent of the message length and the 
number of participants) for communication, computation, and CRS length. They 
offer re-usability of the CRS for polynomially many executions. Both schemes 
are completely non- interactive (i.e., the commitment and opening phases both 
consist of a single message from the sender to the receiver). We prove their 
UC-security under adaptive corruptions (with erasures) using the well-known 
Decision Linear (DLIN) assumption j3|. As demonstrated in Table m such UC 
string commitments were not known to exist before. In particular, their ability 
to commit to strings with re-usable CRS in combination with non-interactivity 
and adaptive security seems so far unique 0 

Our schemes are also the first UC-secure commitments designed for pairing- 
friendly groups. The main ingredients of our schemes are Groth-Sahai proofs [02 

2 Zhu [02 claims to have a non-interactive, UC-secure string commitment without 
erasures for re-usable common reference strings; we were unable to verify the proof 
of the scheme, though. In fact, the encryption-based scheme does not seem to satisfy 
the usual equivocality property of such commitments. 
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Table 1 . Comparison of UC commitment schemes in the CRS model 
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and Cramer-Shoup encryption (under DLIN assumption |3j). Although pairing 
operations are traditionally costlier in comparison to modular exponentiations in 
the RSA or Discrete Logarithm settings, constant costs incurred by our schemes 
seem still to be sufficient for practical purposes. As demonstrated in Tabled the 
total communication costs of our schemes, when instantiated with appropriate 
security parameters, are lower than in all previous DCR-based constructions. For 
our first scheme, the costs are only slightly higher than for the recent (interactive) 
UC commitments by Lindell m- The entire communication complexity amounts 
to 21 group elements for our first scheme and 40 elements for our second scheme. 
Yet our schemes have opposite trade-offs regarding the two phases: Our first 
scheme outputs commitments containing only 5 group elements and transmits 
16 elements in the open phase. In contrast, our second scheme requires 37 group 
elements to commit and only 3 elements to open. 

Techniques. Our first scheme is inspired by the UC commitment scheme of 
Lindell 12m, where the committer encrypts the message in the commit phase 
using the DDH-based Cramer-Shoup encryption scheme, and in the open phase, 
simply reveals the committed message and gives an interactive Sigma proof that 
the message is indeed the one encrypted in the ciphertext. Using non-interactive 
Groth-Sahai proofs we show that this interaction can be safely removed while 
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preserving UC security and without losing much of the efficiency. We thus use 
the DLIN assumption instead of DDH. Observe that DLIN assumption is often 
referred to as a natural counterpart of the DDH assumption in bilinear groups 
where the latter does not hold. More surprisingly, when transforming Lindell’s 
scheme, we also obtain security against adaptive corruptions essentially for free. 
That is, the basic scheme in (2QJ — which is the starting point for our first 
construction — is only secure against static corruptions. Lindell then provides 
additional means to derive a variant which withstands adaptive corruptions. In 
m , there is no way to prove the basic scheme adaptively secure (even with 
reliable erasures) because the committer needs to store the randomness used 
to encrypt in order to give the interactive zero-knowledge proof in the opening 
phase, and thus cannot erase it after having committed. Having to present this 
randomness in case of adaptive corruption, however, inhibits the necessary equiv- 
ocality property of commitments [B| , the ability to adapt simulated commitments 
appropriately. In our case, the committer can compute the non-interactive proof 
already in the commitment phase and present it together with the message in 
the decommitment phase. By this, the committer only needs to store the proof 
and can erase any randomness from the commitment phase, buying us security 
against adaptive corruptions (with erasures). 

At this point, we notice that Groth-Sahai proofs are widely used in many 
cryptographic constructions for reducing the amount of interaction. Interest- 
ingly, their applicability to the setting of UC commitments was not explored so 
far. We thus show that their techniques are powerful enough to allow construc- 
tion of UC commitments with, up till now, unique properties. We demonstrate 
this not only with our first scheme, based on the Lindell’s commitments (while 
using the DLIN assumption instead of DDH) , but also with our second scheme, 
which builds upon Camenisch-Shoup commitments j5j with the difference that 
we work in a discrete logarithm setting instead of relying on the composite resid- 
uosity assumption as in 0. 

We obtain our second scheme using pairing-based trapdoor commitments to 
group elements |1()I15| in combination with Groth-Sahai proofs and DLIN-based 
Cramer-Shoup encryption. This scheme can be viewed as the UC secure non- 
interactive (pairing-based) version of the scheme from |£J with the following 
tweak: We use trapdoor commitments to group elements prior to the encryp- 
tion scheme. Unlike where a Pedersen commitment |20| to message M with 
randomness r is computed and followed by a verifiable encryption of (M, r), we 
trapdoor-commit to M (viewed as group element) and then encrypt only M. Yet, 
we can still extract an opening of the trapdoor commitment when the need arises 
in the security proof (due to the properties of Groth-Sahai commitments). The 
resulting scheme is somewhat more efficient in communication than if the full 
opening of the trapdoor commitment is encrypted as in the original construction 
0. We also notice that description of the UC commitment scheme in jS| was 
limited to the presentation of main ideas but a concrete specification and the 
eventual analysis of security were left open. With our pairing-based construction 
and the above mentioned tweak, we not only remove interaction in this scheme 
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and significantly improve its communication complexity but essentially develop 
the initial ideas from [5J to a full-fledged specification and the corresponding 
proof of security. 

Organization. We recall the basic building blocks that we need in Section |3 
Section El then presents our non-interactive (adaptively) UC-secure string com- 
mitment scheme with re-usable CRS together with the detailed proof of security. 

2 Preliminaries 

2.1 Complexity Assumptions 

In the paper, we use groups (G, Gt) of prime order p with a generator g £ G 
and endowed with a mapping e : G x G — » Gt such that e(g a ,g b ) = e(g. g) ab 
for all a, b £ Z p and e(g, h) ^ 1 g t whenever g,h ^ 1 g- We occasionally con- 
sider the Cartesian product of groups as vector spaces where component-wise 
multiplication (A, B, C ) • (X, Y, Z) = (AX, BY, CZ ) is the vector addition and 
component- wise exponentiation ( A,B,C) X = ( A X ,B X ,C X ) is the scalar multi- 
plication. In these groups, we rely on the following assumption. 

Definition 1 (0). The Decision Linear Problem (DLIN) in G consists 
in distinguishing the distribution D\ = {(g,g a ,g b ,g ac ,g bd ,g c+d )\a,b,c,d Z*} 
from the distribution D 2 = {(g,g a ,g b ,g ac ,g bd ,g z )\a,b,c,d,z Z*}. 

2.2 Groth-Sahai Proof Systems 

In the following notations, for equal-dimension vectors A and B containing 
group elements, A ■ B stands for their component-wise product. 

When based on the DLIN assumption, the Groth-Sahai (GS) proof systems 
jfTH] use a common reference string comprising vectors <71,92, <73 € G 3 , where 
<7i = (91,1,9), 92 = (1,92,9) for some 91,92 £ G. To commit to X £ G, one 
sets C = (1,1, X) ■ 9i r • 92 s • 93* with r,s,t A Z*. When proofs should be 
perfectly sound, 93 is set as 93 = g^ 1 • g^ 2 with £1, £2 Z*. Commitments 

C = (9[ +?lt ,92 + ^ 2 *, A • 9 r+s+t (^ 1+ ^ 2 )) are then Boneh-Boyen-Shacham (BBS) 
ciphertexts |2j that can be decrypted using ol\ = log ff (9i), a 2 = log s (92). In the 
witness indistinguishability (WI) setting, vectors 91 , 92 , 93 are linearly indepen- 
dent and C is a perfectly hiding commitment. Under the DLIN assumption, the 
two kinds of CRS are indistinguishable. 

To commit to an exponent x £ Z p , one computes C = cp x ■ 91 r -92 s , with 
r, s A Z*, using a CRS comprising vectors tp,g 1 ,g 2 . In the soundness setting 
<p, 91 , 92 are linearly independent vectors (typically, one chooses ip = 93 • (1, 1, 9) 
where 93 = 9i Sl -92^) whereas, in the WI setting, choosing ip = g ^ 1 g 2 i2 gives 
a perfectly hiding commitment since C is always a BBS encryption of 1 g- On a 
perfectly sound CRS (where 93 = 91 ^ g 2 ^ 2 and ip = 93 • ( 1 , 1 , 9)), commitments 
to exponents are not fully extractable since the trapdoor (ai, a 2 ) only allows re- 
covering g x from C = p x ■ gY ■ g 2 s . To prove that committed variables satisfy a 
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set of relations, the Groth-Sahai techniques require one commitment per variable 
and one proof element (made of a constant number of group elements) per relation. 
Such proofs are available for pairing-product relations, which are of the type 

n e (A, Xi) n n <**, x^ = t T , (i) 

i=l i—\ j—i 

for variables X 4 , . . . , X n G G and constants fr G Gt, Ai,. ■ ■ , A n gG, ay G G, 
for i. j G {1, . . . , n}. Efficient proofs also exist for multi-exponentiation equations 

fea 3 = 1 tel 3 = 1 

for variables X\ , . . . , X n G G, yi , . . . , y m G Z p and constants T, _4i , . . . , A rn G G, 
6i, . . . , b n G Z p and 7 ^ G G, for i G {1, . . . , m}, j G {1, . . . , n}. 

Multi-exponentiation equations admit zero-knowledge proofs at no additional 
cost. On a simulated CRS (prepared for the WI setting), the trapdoor (£ 1 ,^ 2 ) 
makes it possible to simulate proofs without knowing witnesses, and simulated 
proofs are perfectly indistinguishable from real proofs. As for pairing-product 
equations, NIZK proofs are often possible (this is typically the case when the 
target element tr has a special form) but usually come at some expense. 

In both cases, proofs for quadratic equations (namely, when at least one of 
the coefficients a ij and 7 ij is non-zero in UJ and ©I, respectively) cost 9 group 
elements. Linear pairing- product equations (when riy = 0 for all i , j in (©)) 
take 3 group elements each. Linear multi-exponentiation equations of the type 
n;=i X y = T (resp. n£i = T) demand 3 (resp. 2) group elements. 

2.3 Cramer-Shoup Encryption Based on DLIN Assumption 

This section recalls a variant of the Cramer-Shoup encryption scheme EH based 
on the DLIN assumption and suggested in j^TT7j . The scheme offers IND-CCA2 
security for encryption schemes with labels ESI. If we assume public generators 
gi,g2,g that are parts of public parameters (i.e., a common reference string), 
the receiver’s public key is made of 

Xi = aTg x Xz = gfV X 5 = g% 5 g z 

X-2 = g^g x X 4 = g%*g y X 6 = g% e g z . 

To encrypt to G G under the label L, the sender picks r,sAZ* and computes 
^5 = (C/i,f/ 2 ,[/ 3 ,t/ 4 ,f/ 5 ) = (<?[, g s 2 , g r+s , m-X r 5 X$, (X^Y ■ (X 2 X 2 ) S ) , 
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Functionality Fmcom 

■Fmcom is parameterized by a message space M interacts with parties Pi , P„ 
and adversary S as follows. 

— Upon receiving (commit, sid, cid, Pi, Pj, M) from Pi, where M €. M, record 
{sid,cid,Pi,Pj,M) and send a publicly delayed (receipt ,sid,cid,Pi,Pj) to 
Pj. Ignore any subsequent (commit, sid, cid, Pi,Pj,*) messages. 

— Upon receiving (open, sid, cid, Pi, Pj) from Pi, if some tuple (cid, Pi, Pj, M) 
weis previously recorded then send a publicly delayed (open, sid, cid, Pi,Pj, M) 
to Pj. Otherwise halt. 

— Upon receiving (corrupt-committer, sid, cid) from the adversary, check if 
there is already an entry ( sid,cid,Pi,Pj,M ) and, if so, send M to the ad- 
versary. If the adversary provides some M' and (receipt, sid, cid, Pi, Pj) 
has not yet been written on P/s output tape, then change the record to 
(sid, cid, Pi, Pj,M'). 


Fig. 1 . Functionality Pmciom for Multiple Commitments 


where a = H(Ui,U2,U3,U<i,L) e Z p is a collision-resistant 0 hash function. 
Given a pair (ipcs,L), the receiver computes a. If U5 ^ Uf 1 +aX3 jj^+ aXi lJ^ +ay 
then the receiver outputs _L; otherwise he outputs m = C/4/ (U^U'^U^). 

2.4 Ideal Functionality for Multiple Commitments 

The ideal commitment functionality Pmcom described in Figure □ is the one 
defined by Canetti and Fischlin (Sj but, as in [El, we consider publicly delayed 
messages, where the message is delivered to the corresponding party only upon 
confirmation by the adversary (who sees the message first). Note that the func- 
tionality now takes another unique “commitment identifier” cid, which may be 
used if a sender commits to the same receiver multiple times within a session. 
We assume that the combination of sid, cid is globally unique. 


3 Scheme I: A Tweak on Lindell’s Scheme 

Our first construction builds on Lindell’s first interactive UC-secure commitment 
scheme from jS|, which is only known to be secure against static corruptions in its 
original variant. We show how to utilize Groth-Sahai proofs so as to completely 
remove interaction, while still guaranteeing UC security (in the adaptive sense) 
and preserving all other valuable properties of the scheme. 

3 The security proofs of the original Cramer-Shoup encryption scheme ED and its 
variants based on the DLIN assumption II 7I2K| only require a universal one-way 
hash function eh- As mentioned in 0, for example, collision-resistance is needed 
when the scheme is extended so as to support labels. 
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CRS-Gen(A): choose bilinear groups (G,G t) of order p > 2 A , g G and 
9 i = 9 ai , 92 = g a 2 , with ai,Q!2 Z*. Define vectors <71 = (51,1,3), 
32 = (1,32)5) and 33 = 3i ?1 • 32 with ^1,^2 Z*, which form a Groth- 

Sahai CRS g = (31,32,33) for the perfect soundness setting. Then, choose 
a collision-resistant hash function H : {0, 1}* — > Z p and generate a public 
key pk = (Xi, . . . , Xg) for the hnear Cramer-Shoup encryption scheme. The 
CRS consists of crs = {A, G, G t , 3, g, H, pk}. 

Commit(crs, M, sid, cid, Pi, Pj): to commit to message M 6 G for party Pj 
upon receiving a command (commit, sid, cid, Pi, Pj, M), party Pj parses crs 
as {A, G, G t, 3 , g, f , pk}, respectively, first fetches crs from Pcrs if not done 
already, and then conducts the following steps. 

1. Choose random exponents r,s Z p and compute a Cramer-Shoup 
encryption ipcs = (Pi, U 2 , P 3 , P 4 , Us) of M £ G under the label L = 
Pj||sid||cid and the public key pk E G 6 as in Section E3 

2. Generate a NIZK proof n va i- e nc that ipcs = (Pi, Pa, Pj, P 4 , P 5 ) is a valid 
encryption of M £ G. This requires to commit to exponents r, s and 
prove that these exponents satisfy the multi-exponentiation equations 

Pi = <?}, P 2 = 5 2 s , U 3 = g r+S , (3) 

p 4 /m = x r 5 x%, p 5 = (x.x^y ■ (x 2 x2) s 

(which only takes 5 times 2 elements as base elements are all public). 
Including commitments com r and com s to exponents r and s, the proof 
^vai-enc demands 16 group elements overall. 

3. Pi erases (r, s) after the generation of n va i-enc but retains the state in- 
formation Dm = Tl' vai-enc- 

The commitment cr = ipcs comprises 5 group elements. Upon receiving 
(Com, sid, cid, a) from P^, party Pj verifies that a = ipcs can be parsed as an 
element of G 5 . If yes, Pj outputs (receipt, sid, cid, Pj)- Otherwise, Pj 
ignores the message. 

Open (crs, M, D M , sid, cid, Pi, Pj ) : when receiving a command (open, sid, cid, Pi, 
Pj,M), party Pi reveals M and his state information Dm = ^vai-enc to Pj. 
Verify (crs, (Com, sid, cid, a) , M, D M , sid, cid, Pi, Pj): Pj verifies the proof 7r„ a ;_ e „ c 
and ignores the opening if verification fails. If both proofs verify, Pj outputs 
(open, sid, cid, Pi, Pj,M) iff cid has not been used with this committer pre- 
viously. Otherwise, Pj also ignores the message. 

Theorem 1. The above commitment scheme securely realizes Xmcom in the 
CRS model against adaptive corruptions (assuming reliable erasure), provided 
that (i) the DLIN assumption holds in G; (ii) H is collision-resistant. 

Proof. We construct an ideal-world adversary S that runs a black-box simu- 
lation of the real-world adversary A by simulating the protocol execution and 
relaying messages between A and the environment Z. The ideal- world adversary 
S proceeds as follows in experiment IDEAL. 
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1 . S sets up crs by choosing g = (91,92,93) as a Groth-Sahai CRS for the 

perfect WI setting (namely, 93 = 91 g^ 2 • ( 1 , 1 , g) ~ 1 for some £1, £2 Z*). 

Also, S generates a public key pk = (X \, . . . , X&) as specified by the linear 
Cramer-Shoup encryption scheme. 

2 . When the environment Z requires some uncorrupted party Pi to commit to a 
message and send (Commit, sid, cid, Pi , Pj , M) to the functionality, the simu- 
lator S is notified that a commitment operation took place but does not know 
the committed message M. Therefore, S chooses a fake random message 
JJ^-G and computes a linear Cramer-Shoup encryption i/ics of R gG using 
random exponents r,s Z p . The adversary A is then given (Com, sid, cid, a) 
with cr = ip cs and, when P 3 eventually obtains (Com, sid, cid, a) and outputs 
(Receipt, sid, cid, Pi, P 3 ), the simulator S allows Pmcom to proceed with 
the delivery of message (Commit, sid, cid, Pi, Pj ) to Pj. 

3 . If Z requires some uncorrupted party Pi to open a previously generated 
commitment a = ipcs to some message M £ G, S learns M from Tmcom 
and, using the trapdoor £1,62 G (Z p ) 2 of the simulated Groth-Sahai CRS, 
generates a simulated proof n va i- e nc that equations 0 are satisfied for the 
message M obtained from Pmcom- The internal state of Pi is modified to be 
Dm = 7 Tvai-enc, which is also given to A as the real-world de-commitment. 
Before allowing f MC OM to deliver the message (Open, sid, cid, Pi, Pj , M) to 
Pj , algorithm S waits for Pj to acknowledge the opening in the simulation. 

4 . When the simulated adversary A delivers a commitment (Com, sid* , cid* , a*) 
for party Pi to party Pj and the latter still has not received a commitment 
with subsession ID cid* from Pi, S proceeds as follows. If Pj (and thus Pi as 
well) is uncorrupted, S notifies Pmcom that the commitment (sid*, cid*) can 
be delivered. The Receipt message returned by Pmcom is delivered to the 
dummy P 3 as soon as the simulated Pj outputs his own Receipt message. 
If Pj is a corrupted party, then a* has to be extracted. Namely, S parses a* 
as tpQ S . If V>cs ^ G 5 , S simply ignores the commitment. Otherwise, it uses 
the private key sk corresponding to pk to decrypt ipQ S . If ipQ S turns out to be 
an invalid Cramer-Shoup ciphertext, the commitment is ignored. Otherwise, 
S obtains the plaintext MeG and sends (Commit, sid* , cid* , P , , Pj , M) to 
•Pmcom, which causes Pmcom to prepare a Receipt message for Pj . The 
latter is delivered by S as soon as P 3 produces his own output. 

5 . If A gets a simulated corrupted party Pj to correctly open a commitment 
(Com, sid*, cid* , a*) to message M*, the ideal- world adversary S compares 
M* to the message M that was previously extracted from a* and aborts if 
M 7^ M*. Otherwise, S sends (Open, sid, cid, Pi, Pj,M) on behalf of Pj to 
Pmcom- If A provides an incorrect opening, S simply ignores this opening. 

6. If the simulated A decides to corrupt some party Pj, S corrupts the corre- 
sponding party Pi in the ideal world and obtains all his internal information. 
It also modifies all de-commitment information about the unopened commit- 
ments generated by Pj so as to make it match the received de-commitment 
information of Pj. (Note that Pj is supposed to reliably delete the exponents 
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and to store only the group elements for decommitments.) This modified in- 
ternal information is given to A. For each commitment intended for Pj but 
for which Pj did not receive (Commit, sid, cid, P,, Pj), the newly corrupted 
Pi is allowed to decide what the committed message will eventually be. A 
new message Me G is thus supplied by A and S informs Pm com that M 
supersedes the message chosen by Pi before his corruption. 

To show that the output of the environment Z in the ideal world is indistinguish- 
able from its output in the real world, we consider several hybrid experiments 
involving hybrid adversaries 5 ,;. 

HYB^ z \ is identical to the real experiment with two differences. The first one 
is that the simulator Si generates the CRS by choosing g = (.91,92,93) 
for the WI setting (namely, g 3 is chosen as 93 = 91 C ■ g^ 2 ■ ( 1 , 1 , p) — 1 ) 
instead of the perfect soundness setting. The other difference is that honest 
parties generate commitments by computing ^>cs as an encryption of a ran- 
dom group element R £ G instead of the real message M. The NIZK proof 
^vai-enc is then simulated using the trapdoor (£1 , £2) of the Groth-Sahai CRS 
(91,92,93)- Experiment HYB^ z proceeds almost identically to the ideal- 
world experiment: the only difference is that Si does not extract messages 
that corrupted parties commit to and never has to abort. 

We first observe that the output of the environment Z in HYB^ z is negligibly 
close to its output in the real experiment REAL if the linear Cramer-Shoup 
encryption scheme is IND-CPA and if the two types of Groth-Sahai reference 
strings are indistinguishable. 

Claim. If the DLIN assumption holds in G, the output of Z in REAL is negligibly 
different from its output in HYB^ z . 

Proof. The proof proceeds using two intermediate hybrid experiments HYBo 
and HYBq between REAL and HYB^ z . In HYB 0 , the perfectly sound CRS 
g = (91,92,93), where 93 = 91^ • 92^, is replaced by a fake CRS, where 
93 = 9i^ 1 • 92 ?2 ■ ( 1 , 1 , 9 ) _1 . It is clear that, under the DLIN assumption, this 
modification cannot affect Z’s view. 

Then, HYBq is like HYB 0 with the difference that NIZK proofs n va u enc (which 
are generated when Si has to open honestly generated commitments) are sim- 
ulated using the trapdoor (^1,^2)- Observe that proofs n va i- enc are simulated 
proofs for true statements in HYBq. Since these proofs have the same distribu- 
tion as real proofs on a fake CRS, Z’s view is identical in HYB 0 and HYBq. 

We now turn to the indistinguishability of HYBq and HYB^ z and rely on the 
semantic security of the Cramer-Shoup cryptosystem, which is equivalent to the 
DLIN assumption. Namely, if there exist an environment Z and an adversary A 
for which the two experiments are distinguishable, there is an IND-CPA adver- 
sary T>cpa (in the sense of the left-or-right definition of | 21 ) against the linear 
Cramer-Shoup scheme. This adversary takes in an encryption key pk and pro- 
ceeds as follows. (We merely provide a sketch here.) It uses a Groth-Sahai CRS 
g = (91,92,93) for the WI setting and the challenge Cramer-Shoup public key 
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pk is used to complete the generation of crs. It then simulates adversary A with 
the left-or-right oracle and the simulation trapdoor (£1 , £2) to simulate a NIZK 
proof. Algorithm T>cpa eventually outputs what the environment outputs. If the 
secret bit of the encryption oracle is b = 0, T>cpa is running experiment HYBq 
whereas, if b = 1, it is running HYB^ z . The same argument as in jH| Theorem 
8] shows that experiments REAL and HYB^ z are indistinguishable. □ 

We observe that the only situation where experiments IDEAL and HYB5 z 
depart from each other is when, during the ideal experiment IDEAL, S gives a 
message M to Tmcom when a corrupted party Pi comes up with a commitment 
and, later on, Pi opens that commitment to M* M. We are thus left with the 
task of bounding the probability of the latter event, which we call Fail, in IDEAL. 
To this end, we will actually rule out the possibility of such a mismatch in an 
experiment IDEAL/GENUINE where A’s view is nearly the same as in the ideal 
experiment. We then argue that, if Fail occurs with non- negligible probability 
during IDEAL, the same holds in IDEAL/GENUINE. 

Experiment IDEAL/GENUINE is defined as being identical to IDEAL with 
two differences: (1) when honest parties generate commitments, the simulator S 
“magically” knows which message is being committed to and computes ip cs and 
the corresponding opening ir va i,-enc according to the specification of the scheme; 
(2) S configures the Groth-Sahai CRS g = (91,92,33) for the perfect soundness 
setting (namely, with g 3 = g^ 1 ■ g 2 ^ 2 , for some random £1, £2 G Z p ). 

In IDEAL/GENUINE, event Fail occurs if, on behalf of a corrupted player, 
the adversary A comes up with a commitment a* = ip'p- s for which 1 p^ s de- 
crypts to M but A subsequently produces a convincing opening P* al _ enc prov- 
ing that V>cs °P ens t° Af* f 1 M. As in IDEAL, S aborts if Fail occurs during 
IDEAL/GENUINE. As will be argued later on, the probability of Fail is actually 
zero in IDEAL/GENUINE. 

Claim. If the DLIN assumption holds and if H is collision-resistant, the prob- 
ability that event Fail occurs in IDEAL is negligibly close to its probability of 
occurring in experiment IDEAL/GENUINE. 

Proof. To prove the statement, we define experiments IDEAL/GENUINE^ and 

ideal/genuine< 2) . 

IDEAL/GENUINE^: is identical to IDEAL except that S knows which messages 
honest dummy parties commit to and computes ip cs as an encryption of the 
committed message M. On the other hand, NIZK proofs 7r va i-enc are still 
simulated when these commitments have to be opened. 

IDEAL/GENUINE (2) : is as IDEAL/GENUINE (1) but, when the simulator S has 
to open honest parties’ commitments, NIZK proofs n V al-enc are calculated 
using the real witnesses instead of the simulation trapdoor (£i,£ 2 )- 

IDEAL/GENUINE: is the same as IDEAL/GENUINE (2) with the difference that 
g = (9i)92,93) is defined to be a perfectly sound Groth-Sahai CRS. 
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Experiments IDEAL/GENUINE^ 1 ^ and IDEAL/GENUINE^ provide the adversary 
and Z with identical views since, in the WI setting, simulated proofs are dis- 
tributed as real proofs. Also, it is straightforward that IDEAL/GENUINE and 
IDEAL/GENUINE 1 ' 2 ' 1 are indistinguishable under the DLIN assumption. 

It remains to prove indistinguishability of IDEAL and IDEAL/GEN UINE^. To 
this end, we show that, if there exist an environment Z and an adversary A such 
that Fail occurs with noticeably different probabilities in the two experiments, 
there is a chosen-ciphertext adversary T>cca against the linear Cramer-Shoup 
encryption scheme. Our adversary T>cca takes as input a public key pk for the 
encryption scheme and is granted access to a decryption oracle. It then proceeds 
similar to T>cpa but this time uses its decryption oracle to extract messages 
from adversarial commitments (we omit a formal description here for space rea- 
sons). We observe that, if the challenger’s bit is b = 1, T>cca proceeds in such 
a way that A’s view is exactly as in experiment IDEAL. If b = 0 , T>cca is run- 
ning experiment IDEAL/GENUINE'b. Hence, as long as the linear Cramer-Shoup 
system is chosen-ciphertext secure, T>cca s output probabilities in both experi- 
ments must be negligibly far apart. 

In experiment IDEAL/GENUINE, it is easy to see that event Fail cannot occur 
whatsoever. Indeed, it would require the adversary to produce a valid proof for 
a false statement, which is precluded by the perfect soundness of Groth-Sahai 
proofs in the soundness setting. □ 


4 Scheme II: A Tweak on the Camenisch-Shoup Scheme 

4.1 Trapdoor Commitments to Group Elements 

We need a trapdoor commitment scheme, suggested in da, that allows commit- 
ting to elements of a pairing-friendly group G. To simplify our security analysis, 
we need commitments to consist of elements of the same group G. We note 
that Groth’s trapdoor commitment to group elements can could be used as 
well. However, our construction would then require to include NIZK proofs for 
pairing-product equations in each UC commitment, which would eventually re- 
sult in longer commitment strings. 

Such a trapdoor commitment can be obtained by modifying the opening phase 
of perfectly hiding Groth-Sahai commitments so as to enable trapdoor open- 
ings. This commitment uses a commitment key describing a prime order group 
G and g £ G. The commitment key consists of vectors (fi,f 2 ,f 3 ) chosen as 
fi = (/i, 1 , g), f 2 = (l,/2,ff) and f 3 = /fy 1 • f 2 X2 • ( 1,1 ,g) X3 , with /i ,/ 2 A G, 
Xi, X2> X 3 Z*. To commit to X £ G, the sender picks 61,62,63 A Z* and sets 
C x = ( 1 , 1 , X) • /i Sl • f 2 62 ■ f 3 03 , which, if f 3 is parsed as (/ 3 , 1, f 3 ,2, fa, 3), can be 
written C x = (jf • jf • / 3 % X • g e '+° 2 • f 03 3 ). To open C x = (C u C 2 , C 3 ), 
the sender reveals ( D\ ,D 2 ,D 3 ) = (g 01 , g° 2 , g 03 ) and X. The receiver is convinced 
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that the committed value was X by checking that 

f e(C 1 ,g) = e(f 1 ,D 1 )-e(f 3 , 1 ,D 3 ) 

{ e(C 2 ,g) = e(f 2 ,D 2 )-e(f 3 , 2 ,D 3 ) 

{ e{C 3 ,g ) = e(X ■ D y ■ D 2 ,g) ■ e(f 3 , 3 ,D 3 ). 

If a sender can come up with distinct openings of Cx, we can easily construct 
a distinguisher for the DLIN assumption (and even break a computational as- 
sumption that implies DLIN), as noted in (Ini- 

Using the trapdoor (xi, % 2 , Xa), the sender can equivocate commitments when 
%3 i=- 0. Given a commitment Cx and its opening (X, (Di, D 2 , D 3 )), one can 
trapdoor open Cx to any other X'sG (without knowing \og g (X r )) by comput- 
ing D[ = D 1 ■ (X'/X)* 1 /* 3 , D' 2 = D 2 - (X'/X)* 2 /* 3 and D' 3 = (X/X') 1/x3 ■ D 3 . 
The scheme is thus a trapdoor commitment whenever X 3 i=- 0. When %3 = 0, the 
commitment is perfectly binding and even extractable with knowledge of discrete 
logarithms of the commitment key since X can be computed from ( Cx,C 2 ,C 3 ) 
using 0i = log s (/i), 0 2 = log g (f 2 ). 


4.2 Construction 

Our second construction builds upon the Camenisch-Shoup interactive UC- 
secure commitments jS|- The latter requires the committer to trapdoor-commit 
to the message m using some randomness r with the Pedersen trapdoor com- 
mitment m before encrypting m using a CCA2-secure encryption scheme sup- 
porting labels. In the committing phase, the sender then provides an interactive 
proof that the ciphertext ip encrypts the plaintext which is committed to. To 
remove interaction from this construction, we use the Groth-Sahai techniques 
and combine them with the trapdoor commitment to group elements recalled in 
Section 14.11 The proof itself relies on a common reference string. 

CRS-Gen(A): choose bilinear groups (G, Gt) of order p > 2 X with g A G and 
compute g x = g ai , g 2 = g 012 , /i = g? 1 , f 2 = g fh with a 1 ,a 2 ,0i,0 2 A Z*. 
Define vectors gx - (gx,l,g), g 2 = (l,g 2 ,g) and g 3 = gx €l • g 2 $2 with 
^ 1,^2 Z*, which form a Groth-Sahai CRS g = ( 91 , 92 , 93 ) for the perfect 

soundness setting. Then, define vectors fx = (/i,l,9), f 2 = (1, f'l-g) and 
h = fi Xl ‘ h X2 ■ (1,1, g) X3 with Xi,X 2 ,X 3 Z*, which form a public key 
f = (/i,/ 2 ,/s) for the trapdoor commitment to group elements. Finally, 
choose a collision-resistant hash function H : {0, 1}* — > Z p and generate 
a public key pk = (Xi , . . . , Xq) for the linear Cramer-Shoup encryption 
scheme. The CRS consists of crs = {A, G, Gt, 9, g, f , H, pk}. 

Commit(crs, M, sid, cid, Pi, Pj): to commit to message M 6 G for party Pj 
upon receiving a command (commit, sid, cid, Pi, Pj, M), party P, parses crs 
as {A, <G, Gt, 9, g, f , pk}, respectively, first fetches crs from Xcrs if not done 
already, and then conducts the following steps. 
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1. Using vectors f = (/i,/ 2 ,/ 3 ) as /i = (fi,l,g), f 2 = (1, / 2 , S') and 
fs = {f 3,1, / 3 ,2, / 3 , 3 ), pick 61,62,03 £- z; and compute a commitment 
to M g G as 

COTOM = (cm,1,Cm,2,Cm,3) = [fj 1 ' f£* V /| 2 * /f t2 , M ' ■ /| 3 3 ) . 

2. Choose exponents r,s Z* and compute a Cramer-Shoup encryption 
Ucs = (Ui, U2M3, U4, U5) ofMsG under the label L = P, | |sid| | cid and 
the public key pk e G 6 as in Sectional 

3. Generate a NIZK proof 7 r va i. enc that tpcs = (Ui- U 2 , U3, C/4, C/5) is a valid 
Cramer-Shoup encryption. This requires to commit to encryption expo- 
nents r, s and prove that these satisfy U\ = g{, U 2 = g%, C/3 = g r+s 
and C/5 = (XiXg ) r ■ (X2X4 ) s (which only takes 4 times 2 elements as 
base elements are all public). Including commitments com r and com s to 
exponents r and s, the proof 7r va i-enc demands 14 group elements overall. 

4. Generate a NIZK proof 7r eq - CO m that ipcs encrypts the same group ele- 
ment M £ G as the one that was committed to in corriM- In other words, 
prove that committed exponents (r, s, 61,62, 63) satisfy 


■ C/x C / 2 I / 4 ' 

-Cm, 1 ’ cm, 2 ’ cm, 3' 


") — {di ‘ fi 9l ‘ / 3 , i 3 > 5 2 • / 2 



h 


(4) 


r o 1 -e 2 . f -o 3 . X r.xi). 
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Commitments to r, s are already part of n va i-enc ■ Committing to 61,62, 63 
takes 9 elements. Proving dD requires 6 elements as each relation is lin- 
ear. Hence, 7r eq -com requires 15 group elements and P t erases ( r , s, 61,62, 
63) after its generation but retains the information Dm = (g 01 , g 02 , g 03 )- 

The entire commitment a = (comMjfpcs^vai-enc^eq-com) takes 37 group 
elements. Upon receiving a commitment (Com, sid, cid, a) from fy, party Pj 
verifies the proofs 7T va i- enc , ^eq-com in cr and, if correct, outputs (receipt, sid, 
cid, Pi, Pj)-, for invalid proofs Pj ignores the message. 

Open(crs, M, Dm, sid, cid, Pi, Pj): when receiving (open, sid, cid, Pi, Pj,M), P t 
reveals M and Dm = (Di, D2, D3) = {g 01 , g 02 , g 03 ) to Pj. 

Verify (crs, (Com, sid, cid, a), M, D M , sid, cid, Pi, Pj): Pj verifies proofs ir va i. enc , 
71 eq-com (or recalls the previous check in the commitment phase) and ignores 
the opening if verification fails. If both proofs verify, Pj outputs (open, sid, 
cid,Pi,Pj,M) iff cid has not been used with this committer previously and 
the opening Dm = {Di,D2,D3) of cotum passes the verification test (as 
described in section ETTll . Otherwise, Pj also ignores the message. 

4.3 Security 

Theorem 2. The above commitment scheme securely realizes Tmcom the 
CRS model against adaptive corruptions (assuming reliable erasure), provided 
that (i) the DLIN assumption holds in G; (ii) the hash function H is collision- 
resistant. (The proof appears in the full version of the paper). 
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5 Conclusion 

In this paper we gave new constructions of efficient UC-secure commitment 
schemes in the CRS model, simultaneously supporting many useful properties: 
their commitment /opening phases are both non-interactive and they allow com- 
mitting to strings rather than single bits while re-using the common reference 
string for an unbounded (but polynomial) number of commitments. Such UC 
secure commitments have not been known to exist so far. The only missing prop- 
erty, left as an open problem of our work, is to find new ways for eliminating the 
reliance on erasures (without introducing new assumptions, such as deployment 
of tamper-proof hardware that can be used in practice to avoid erasures, or using 
weaker adversary models that prevent adversarial access to ephemeral secrets). 
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Abstract. We show how to leverage the RKA (Related-Key Attack) 
security of blockciphers to provide RKA security for a suite of high-level 
primitives. This motivates a more general theoretical question, namely, 
when is it possible to transfer RKA security from a primitive Pi to 
a primitive P2? We provide both positive and negative answers. What 
emerges is a broad and high level picture of the way achievability of 
RKA security varies across primitives, showing, in particular, that some 
primitives resist “more” RKAs than others. A technical challenge was to 
achieve RKA security even for the practical classes of related- key deriving 
(RKD) functions underlying fault injection attacks that fail to satisfy the 
“claw-freeness” assumption made in previous works. We surmount this 
barrier for the first time based on the construction of PRGs that are not 
only RKA secure but satisfy a new notion of identity-collision-resistance. 

1 Introduction 

By fault injection jlbllOj or other means, it is possible for an attacker to induce 
modifications in a hardware-stored key. When the attacker can subsequently 
observe the outcome of the cryptographic primitive under this modified key, we 
have a related-key attack (RKA) |bl I !)l . 

The key might be a signing key of a certificate authority or SSL server, a 
master key for an IBE system, or someone’s decryption key. Once viewed merely 
as a way to study the security of blockciphers |W27l5j . RKAs emerge as real 
threats in practice and of interest for primitives beyond blockciphers. 

It becomes of interest, accordingly, to achieve (provable) RKA security for 
popular high-level primitives. How can we do this? 

Practical contributions. One approach to building RKA-secure high-level 
primitives is to do so directly, based, say, on standard number-theoretic assump- 
tions. This, however, is likely to yield ad hoc results providing security against 
classes of attacks that are tied to the scheme algebra and may not reflect attacks 
in practice. 

D.H. Lee and X. Wang (Eds.): ASIACRYPT 2011, LNCS 7073, pp. 486 45031 2011. 
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We take a different approach. RKA security is broadly accepted in practice as 
a requirement for blockciphers; in fact, AES was designed with the explicit goal 
of resisting RKAs. We currently have blockciphers whose resistance to RKAs is 
backed by fifteen years of cryptanalytic and design effort. We propose to leverage 
these efforts. 

We will provide a general and systematic way to immunize any given instance 
of a high-level primitive against RKAs with the aid of an RKA-secure blockcipher, 
modeling the latter, for the purpose of proofs, as a RKA-secure PRF j 5 J. We will 
do this not only for symmetric primitives that are “close” to PRFs like symmet- 
ric encryption, but even for public-key encryption, signatures and identity-based 
encryption. Our methods are cheap, non-intrusive from the software perspective, 
and able to completely transfer all the RKA security of the blockcipher so that 
the high-level primitive resists attacks of the sort that arise in practice. 
Theoretical contributions. The ability to transfer RKA security from PRFs 
to other primitives lead us to ask a broader theoretical question, namely, when 
is it possible to transfer RKA security from a primitive Pi to a primitive P2? 
We provide positive results across a diverse set of primitives, showing, for exam- 
ple, that RKA-secure IBE implies RKA-secure IND-CCA PKE. We also provide 
negative results showing, for example, that RKA-secure signatures do not imply 
RKA-secure PRFs. 

All our results are expressed in a compact set-based framework. For any prim- 
itive P and class i> of related-key deriving functions — functions the adversary 
is allowed to apply to the target key to get a related key — we define what it 
means for an instance of P to be < 5 - RKA secure. We let RKA[P] be the set of 
all such that there exists a <£-RKA secure instance of primitive P. A trans- 
fer of RKA security from Pi to P2, expressed compactly as a set containment 
RKA[Pi] C RKA[P2], is a construction of a < 5 - RKA secure instance of P2 given 
both a normal-secure instance of P2 and a <?-RKA secure instance of Pi. Com- 
plementing this are non-containments of the form RKA[P2] % RKA [Pi], which 
show the existence of $ such that there exists a < 5 - RKA instance of P2 yet no 
instance of Pi can be <ARKA secure, indicating, in particular, that RKA security 
cannot be transferred from P2 to Pi. 

As Fig.Q]shows, we pick and then focus on a collection of central and represen- 
tative cryptographic primitives. We then establish these containment and non- 
containment relations in a comprehensive and systematic way. What emerges is 
a broad and high level picture of the way achievability of RKA security varies 
across primitives, showing, in particular, that some primitives resist “more” 
RKAs than others. 

We view these relations between RKA[P] sets as an analog of complexity 
theory, where we study relations between complexity classes in order to better 
understand the computational complexity of particular problems. Let us now 
look at all this more closely. 

Background. Related-key attacks were conceived in the context of blockci- 
phers . The first definitions were accordingly for PRFs j^j; for F: ICxD — » 
1Z they consider the game that picks a random challenge bit b and random target 
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key K £ K. For each L e fC the game picks a random function G(L. •): V — > 1Z, 
and next allows the adversary multiple queries to an oracle that given a pair 
(<t>, x) with (f>: K. — > K, and x 6 D returns F{<j>{K),x) if b = 1 and G(cj)(K),x) if 
6 = 0. They say that F is <6- RKA secure, where <2> is a class of functions mapping 
1C to 1C, if the adversary has low advantage in predicting 6 when it is only allowed 
in its queries to use functions <j> from <1>. 

Let RKA[PRF] be the set of all i> for which there exists a <6- RKA secure PRF. 
Which $ are in this set? All the evidence so far is that this question has no simple 
answer. Bellare and Kohno [3 gave natural examples of <6 not in RKA[PRF], 
showing the set is not universal. Membership of certain specific $ in RKA[PRF] 
have been shown by explicit constructions of <6- RKA PRFs, first under novel 
assumptions m and then under standard assumptions |3J. Beyond this we must 
rely on cryptanalysis. Modern blockciphers including AES are designed with the 
stated goal of RKA security. Accordingly we are willing to assume their A- RKA 
security — meaning that $ G RKA[PRF] — for whatever <£ cryptanalysts have 
been unable to find an attack. 

Beyond PRFs. Consideration of RKAs is now expanding to primitives beyond 
PRFs j2 01212 21 . This is viewed partly as a natural extension of the questions on 
PRFs, and partly as motivated by the view of RKAs as a class of sidechannel 
attacks m- An RKA results when the attacker alters a hardware-stored key via 
tampering or fault injection fltillOl and subsequently observes the result of the 
evaluation of the primitive on the modified key. The concern that such attacks 
could be mounted on a signing key of a certificate authority or SSL server, a 
master key for an IBE system, or decryption keys of users makes achieving RKA 
security interesting for a wide range of high-level primitives. 

Definitions. We focus on a small but representative set of primitives for which 
interesting variations in achievability of RKA security emerge. These are PRF 
(pseudorandom functions), Sig (Signatures), PKE-CCA (CCA-secure public-key 
encryption), SE-CCA (CCA-secure symmetric encryption), SE-CPA (CPA-secure 
symmetric encryption), IBE (identity-based encryption) and wPRF (weak PRFs 
BSD- We define what it means for an instance of P to be <6- RKA secure for 
each P g {wPRF, IBE, Sig, SE-CCA, SE-CPA, PKE-CCA}. We follow the defini- 
tional paradigm of [5J, but there are some delicate primitive-dependent choices 
that significantly affect the strength of the definitions and the challenge of achiev- 
ing them (cf. Sectional). We let RKA[P] be the set of all ( P for which there exists 
a <?>-RKA secure instance of P. These sets are all non-trivial. 

Relations. We establish two kinds of relations between sets RKA [Pi] and 
RKA[P 2 ]: 


Containment : A proof that RKA[Pi] C RKA[P 2 ], established by construct- 
ing a <6- RKA secure instance of P 2 from a <5- RKA secure instance of Pi, 
usually under the (minimal) additional assumption that one is given a normal- 
secure instance of P 2 . Containments yield constructions of A- RKA secure 
instances of P 2 . 
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Fig. 1. Relations between RKA[P] classes. A containment RKA[Pi] C RKA[P2] 
is represented in the picture by an arrow Pi — > P2 and in the table by a “C” in the 
row Pi, column P2 entry. A non-containment RKA[Pi] g RKA[P2] is represented in 
the table by a “g” in the row Pi, column P2 entry. The picture does not show non- 
containments. The picture sometimes shows a redundant containment (for example 
the arrow PRF — > Sig when there is already a path PRF — > IBE — > Sig) because it 
corresponds to an interesting direct construction. A blank entry in the table means we 
do not know. 

• Non-containment : A proof that RKA[P 2 ] g RKA[Pi]. Here we exhibit a 
particular r I> for which we (1) construct a ^-RKA secure instance of Pi under 
some reasonable assumption, and (2) show, via attack, that any instance of 
P 2 is <ARKA insecure. 

We show that RKA-secure PRFs are powerful enablers of RKA-security: Given 
a <ARKA PRF and a normal-secure instance of P, we construct a <ARKA secure 
instance of P for all P G {wPRF, IBE, Sig, SE-CCA, SE-CPA, PKE-CCA}. This is 
represented by the string of containments in the first row of the table in Fig. 0 
On the practical side, instantiating the PRF with a blockcipher yields a cheap 
way to immunize the other primitives against RKAs. On the theoretical side, 
instantiating the PRF with the construct of [3J yields ^-RKA secure instances 
of the other primitives based on standard assumptions. 

The separations shown in the first column of the table of Fig. 0 however, 
also show that RKA-PRFs are overkill: all the other primitives admit <A-RKA 
secure instances for a $ for which no <A-RKA PRF exists. This leads one to ask 
whether there are alternative routes to RKA-secure constructions of beyond- 
PRF primitives. 

We show that IBE is a particularly powerful starting point. We observe that 
Naor’s transform preserves RKA-security, allowing us to turn a $-RKA secure 
IBE scheme into a <£-RKA secure Sig scheme. Similarly, we show that the trans- 
form of Boneh, Canetti, Halevi and Katz (BCHK) |Q3 turns a $-RKA secure 
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I BE scheme into a <£-RKA secure PKE-CCA scheme. What lends these transforms 
well to RKA-security is that they do not change the secret key. We also show 
that given a f i>-RKA secure wPRF we can build a <ARKA secure SE-CPA scheme. 
(A wPRF is like a PRF except that is only required to be secure on random in- 
puts B3-) These results motivate finding new <£-RKA secure IBE schemes and 
wPRFs. 

As the table of Fig.Qindicates, we show a number of other non-containments. 
Sig emerges as a very “RKA-resilient” primitive in the sense that it can be 
secure against strictly more RKAs than most other primitives. Some of the 
non-containments, such as RKA[PKE-CCA] £ RKA[SE-CPA] might seem odd; 
doesn’t PKE always imply SE? What we are saying is that the trivial trans- 
formation of a PKE scheme to an SE one does not preserve RKA-security and, 
moreover, there are for which no transform exists that can do this. 

Claws ok. All previous constructions of S&-RKA secure primi- 
tives |5I2 81412 01212 212 4j assume $ is claw-free (distinct functions in <t> disagree 
on all inputs) because it is hard to do the proofs otherwise, but the <P underlying 
practical fault injection attacks are not claw-free, making it desirable to get 
constructions avoiding this assumption. For the first time, we are able to do 
this. In Section E we explain the technical difficulties and sketch our solution, 
which is based on the construction of a <F-RKA PRG that has a novel property 
we call identity-collision-resistance (ICR), a variant of the collision-resistance 
property from m 

Related work. The first theoretical treatment of RKAs was by Bellare and 
Kohno jS|; being inspired by blockciphers, the work addressed PRFs and PRPs. 
They showed examples of classes not in RKA[PRF], gave conditions on for 
ideal ciphers to be <£-RKA secure, and provided standard model constructs for 
some limited classes. Subsequently, constructions of <£-RKA secure PRFs and 
PRPs for more interesting $ were found, first under novel assumptions m 
and then under standard assumptions PJ , and the results on ideal ciphers were 
extended in p. 

We are seeing growing interest in RKA security for primitives other than 
PRFs. Goldenberg and Liskov El study related-secret security of lower-level 
primitives, namely one-way functions, hardcore bits and pseudorandom gener- 
ators. Applebaum, Harnik and Ishai j2j define RKA security for (randomized) 
symmetric encryption, gave several constructions achieving that definition for in- 
teresting $ and then presented numerous applications. Connections with point 
obfuscation are made by Bitansky and Canetti HU 

Gennaro, Lysyanskaya, Malkin, Micali and Rabin m suggest that RKAs 
may arise by tampering. They show that one can achieve security when re- 
lated keys are derived via arbitrary key modification, but assume an external 
trusted authority signs the original secret key and installs the signature on the 
device together with its own public key, the latter being “off limits” to the at- 
tacker. (Meaning, the related-key deriving functions may not modify them.) In 
our case, no such authority is assumed. The off-limit quantities are confined to 
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pre-installed public parameters. No information that is a function of the param- 
eters and the key is installed on the chip. 

Ishai, Prabhakaran, Sahai and Wagner El are concerned with tampering of 
wires in the computation of a circuit while we are concerned with tampering 
with hardware-stored keys. Dziembowski, Pietrzak and Wichs [IBJ develop an 
information theoretic method for preventing tampering and show that a wide 
class of limited, but non-trivial, P can be achieved (unconditionally) for any 
so-called “interactive stateful system.” 

Independent work. Interest in RKA security for higher-level primitives is 
evidenced by Goyal, O’Neill and Rao |22I2.'1| . who define correlated-input (Cl) 
hash functions, show how to construct them from the (/-DHI assumption based 
on Boneh-Boyen signatures |1 dll 4| and the Dodis-Yampolskiy PRF in, and 
apply this to get 0-RKA secure signatures from </-DHI for a class P consisting of 
polynomials over a field of prime order. (They indicate their approach would also 
work for other primitives.) Their construction is similar to ours. Their definitions 
and results, unlike ours, are restricted to claw-free P. Also, we start from <£-RKA- 
PRFs and thus get in-practice security for any class P for which blockciphers 
provide them, while they start from a number-theoretic assumption and get 
security for a specific class P, related to the scheme algebra. Their work and 
ours are concurrent and independent. (Ours was submitted to, and rejected 
from, Eurocrypt 2011, while theirs was submitted to, and accepted at, TCC 
2011.) 

Kalai, Kanukurthi and Sahai m provide encryption and signature schemes 
that protect against both tampering and leakage via the idea of key-updates 
that originated in forward-secure signatures jZj. They allow arbitrary tampering 
functions but only allow a bounded number of tampering queries within each 
time period. Their work and ours are again concurrent and independent. 

2 Technical Approach 

Before providing formal definitions, constructions and proofs of our many posi- 
tive and negative results, we would like to illustrate one technical issue, namely 
the challenges created by P that are not claw-free and how we resolve them. 
For concreteness, our discussion is restricted to the design of <£-RKA signatures 
based on P-RKA PRFs. 

The claw- freeness assumption. All known constructions of <£-RKA-secure 
primitives j, 1 1!2 HI3I2 01212 212 3 j are restricted to P that are claw-free. This means 
that any two distinct functions in P disagree on all inputs. This assumption is 
made for technical reasons; it seems hard to do simulations and proofs without 
it. Yet the assumption is undesirable, for many natural and practical classes of 
functions are not claw-free. For example, fault injection might be able to set 
a certain bit of the key to zero, and if P contains the corresponding function 
and the identity function then it is not claw-free. Any P that can set the key to 
a constant value is also not claw-free. Accordingly it is desirable to avoid this 
assumption. For the first time we are able to do so, via a new technical approach. 
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Definitions and issues. The degree to which claw- freeness is embedded in 
current approaches is made manifest by the fact that the very definition of ( P- 
RKA secure signatures of |22i23| assumes it and is unachievable without it. Let 
us take a closer look to see how. 

The signature RKA-security game of \22V2',’>\ picks secret signing key sk and 
associated public verification key vk. It gives the adversary a signing oracle 
Sign that takes to and </> E <P, and returns the signature of message to under 
key (j>{sk). The adversary eventually outputs to, a. Besides validity of to, a under 
vk, winning requires that to be “new,” meaning not “previously signed.” The 
delicate question is, how do we define this? The choice of \22i2'.\\ is to disallow 
signing query id, to, where id is the identity function. But the adversary can 
easily define a function <p that is the identity on all but a negligible fraction of 
its inputs. A query cf>, m is then valid since <p =2 id, but almost always returns 
the signature a of m under sk, so the adversary can output to, a and win. By 
assuming $ is claw-free and contains id, f‘2‘2l‘2dj ensure that such a ^ is not in <P 
and the attack is ruled out. 

Our altered definition of to being “new” is that there was no signing query 
(j), to with (p(sk) = sk. This seems, indeed, the natural requirement, ruling out 
nothing more than that to was signed under sk. 

We now have a much more general definition that is meaningful even for the 
non claw-free P that arise in practice, but it has a subtle feature that makes 
achieving it a challenge. Namely, checking whether the adversary won apparently 
requires knowing sk for we have to test whether or not <f>(sk) = sk. In the 
reduction proving security, we will be designing an adversary B attempting to 
distinguish “real” or “random” instances of some problem given an adversary A 
breaking the signature scheme; B will see if A won, declaring “real” if so and 
“random” otherwise. But B will be simulating A and will not know sk, so the 
difficulty is how it can test that A won. 

Overview of solution. We start from a <£-RKA secure PRF F: 

1Z that has what we call a key fingerprint for the identity function. This is a 
relaxation of the notion of a key fingerprint of j3|. It consists of a vector w 
over T> such that for all K and all <p 6 i> with <p(K) zfi K there is some i such 
that F(K, w[i]) F((j>(K), w[i]). This allows statistical disambiguation of the 

original key K from other keys. Such fingerprints exist for the <AR,KA PRFs 
of (31 and for blockciphers and are thus a mild assumption. 

We now turn F into a PRG (Pseudorandom Generator) Q that has two prop- 
erties. First, it is <AR,KA secure; this means the adversary has low advantage 
in determining the challenge bit b in the game that picks a random target key 
K and random function R, and then gives the adversary an oracle Gen that 
on input cj) returns Q(<j){K)) if b = 1 and R(<p(K)) if b = 0. This is of course 
easily obtained from a #-RKA PRF. We call the new second property <5-ICR 
(Identity-Collision- Resistant) ; this means that for a hidden key K, it is hard 
for the adversary to find <j) G ^ such that (p{K) ^ K yet Q(<p(K)) = G(K). At 
first it might seem this follows from <AR,KA security but Proposition El shows it 
does not. However Proposition El shows how to build a PRG that is both <F-RKA 
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and fJ'-ICR, secure from a $-RKA PRF with an identity key fingerprint, without 
assuming is claw-free. 

We build our d'-R.KA secure signature scheme from this PRG Q and a base 
(normal secure) signature scheme, as follows. The secret key of our new signature 
scheme is a key K for the PRG. The output of the PRG on input K, Q{K), is 
used as randomness to rim the key-generation algorithm JC of the base signature 
scheme, yielding a public key pk which becomes the public key of our scheme, 
and the corresponding secret key which is discarded. (Recall the secret key of 
the new scheme is the PRG key K.) To sign a message m under K, run Q on K 
to get coins for /C, run the latter with these coins to get pk, sk and finally sign 
m under sk with the base signature scheme. Verification is just as in the base 
signature scheme. 

For the proof we must construct an adversary B breaking the <ARKA security 
of Q given an adversary A breaking the <AR,KA security of our signature scheme. 
B thinks of the key K underlying its game as the secret key for our signature 
scheme and then runs A. When A makes Sign query <j>,m , adversary B will 
call its Gen oracle on </> and use the result as coins for /C to get a secret key 
under which it then signs to for A. Eventually A outputs a forgery attempt to, a. 
The assumed security of the base signature scheme will make it unlikely that 
A’s forgery is a winning one when Gen is underlain by a random function. So 
B would like to test if A’s forgery was a winning one, outputting 1 if so and 
0 otherwise, to win its game. The difficulty is that it cannot test this because, 
not knowing K, it cannot test whether or not A made a SIGN query <f>, m with 
<p{K) = K. The <5- ICR, property of Q comes to the rescue, telling us that whether 
or not (j)(K ) = K may be determined by whether or not the outputs of Q on 
these two inputs, which B does have, are the same. 

This sketch still pushes under the rug several subtle details which are dealt 
with in the full proof of Theorem 0 to be found in the full version of this 
paper gj. 

3 Preliminaries 

Notation. For sets X, Y, Z let Fun(V, Y) be the set of all functions mapping X 
to Y, and let FF(A, Y, Z) = Fun(V x Y, Z). The empty string is denoted e. If v is 
a vector then |v| denotes the number of its coordinates and v[i] denotes its i-th 
coordinate, meaning v = (v[l], . . . , v[|v|]). A (binary) string x is identified with 
a vector over {0, 1} so that \x\ is its length and x[i] is its i-th bit. If a-\ , ,a n 
are strings then a\ || ■ ■ • || a n denotes their concatenation. If 5 is a set then .S' 
denotes its size and s <— * S the operation of picking a random element of S and 
calling it s. We say that a real-valued function on the integers is negligible if it 
vanishes faster than the inverse of any polynomial. 

Algorithms. Unless otherwise indicated, an algorithm is PT (Polynomial Time) 
and may be randomized. An adversary is an algorithm. If A is an algorithm 
and x is a vector then A(x) denotes the vector (A(x[l]), . . . , A(x[|x|])). By 
y f— A(xi, X' 2 , . . . ; r) we denote the operation of running A on inputs »i, * 2 , • • ■ 
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and coins r 6 { 0 , 1 }*. We denote by y <— * A(x i, £2, • • •) the operation of picking 
r at random and letting y <— A(x \ , X2 , ■ ■ ■ ; r ) . We denote by [A(x 1 , 0:2 ,-■-)] the 

set of all possible outputs of A on inputs x\ . X2, We denote by k e N the 

security parameter and by l k its unary encoding. It is assumed that the length 
of the output of any algorithm A depends only on the lengths of its inputs. In 
particular we can associate to single-input algorithm A its output length £ sat- 
isfying |A(a:)| = £(\x\) for all x. If A, B are algorithms then A|| B denotes the 
algorithm that on any input x returns A(x) || B(x). 

Games. Some of our definitions and proofs are expressed via code-based games 0 . 
Recall that such a game consists of an Initialize procedure, procedures to re- 
spond to adversary oracle queries and a Finalize procedure. A game G is exe- 
cuted with an adversary A as follows. First, Initialize executes on input l k and 
its output is the input to A. Then A executes, its oracle queries being answered 
by the corresponding procedures of G. When A terminates, its output becomes 
the input to the Finalize procedure. The output of the latter, denoted G A , is 
called the output of the game. We let “G * 4 => d” denote the event that this game 
output takes value d. If Finalize is absent it is understood to be the identity 
function, so the game output is the adversary output. Boolean flags are assumed 
initialized to false. 

4 Classes of RKDFs and RKA-PRFs 

Classes of RKDFs. In jS|, a class A of related-key deriving functions (RKDFs) 
is a finite set of functions, all with the same domain and range. Our more general, 
asymptotic treatment requires extending this, in particular to allow the func- 
tions to depend on public parameters of the scheme. For us a class $ = (V, Q ) 
of RKDFs, also called a RKA specification, is a pair of algorithms, the second 
deterministic. On input l fe , parameter generation algorithm V produces param- 
eters 7 T. On input n, a key K and a description <b of an RKD function, the 
evaluation algorithm Q returns either a modified key or _L. We require that for 
all (/>, it, either Q(ir, K,<f>) = T for all K or for no K. We let <fy r ,4>(-) = Qfy, ■, <p). 
We require that <P always includes the identity function. (Formally, there is a 
special symbol id such that ^VidO'Q = K for all K, n. This is to ensure that <l>- 
RKA security always implies normal security.) We let ID be the class consisting 
of only the identity function, so that ID- RKA security will be normal security. 

A scheme (regardless of the primitive) is a tuple (V, ■ ■ ■ ) of algorithms, the 
first of which is a parameter generation algorithm that on input l k returns a 
string. If £ is the output length of V, we say that = (V. Q) is compatible with 
the scheme if the string formed by the first £(k) bits of the output of V(l k ) 
is distributed identically to the output of V(l k ) for all k e N. This is done so 
that, in constructing one 'ARK A primitive from another, we can extend the 
parameters of the constructed scheme beyond those of the original one without 
changing the class of RKDFs. 

We say that $ = (V, Q) is claw-free if <f> ^ eft implies Q( n, K, <p) Q(tt, K, 4/) 

(or both values are _L) for all n, K. This property has been assumed almost 
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proc Initialize / PRF 
7r^*P(l fc ); K<-s/C(7r) 

6 <— $ {0, 1} 

Return 7r 

proc Fn (4>,x) H PRF 
K' <- 

If K' = _L then return _L 
If 6 = 1 then 

*] <— T(nx, K', x) 

If b = 0 and T[K', i] = lt 
T[K',x\ <— * Rng(7r) 
Return T[K ' , a;] 
proc Finalize(6') / PRF 
Return (b = b') 


proc Initialize // IDFP 

7T <— * V(l k ) 

K <— * /C(7r) 

W^*IKf P (7T) 

Return n, w 

proc Fn(0) / IDFP 

K' «- <P-k,4>{K) 

If (if' = _L) then return _L 
If {K' K) then 

If (T(K' , w) = T(K, w)) then 
Win <— true 
Return T(K' . w) 
proc Finalize() H IDFP 
Return Win 


Fig. 2. Games defining <ARKA PRF security and 4>TDFP security of function family 
77 = {V. 1C, T) having range Rng(-) 


ubiquitously in previous work f5l28l2()l.'l| because of the technical difficulties 
created by its absence, but its assumption is in fact quite restrictive since many 
natural classes do not have it. We are able to remove this assumption and provide 
constructs secure even for non-claw-free classes via new technical approaches. We 
let CF be the set of all $ that are claw-free. 

The class f i )COnst = {V, <2 const ) of constant functions associated to class = 
{V, Q) is defined by <P c ° n 0 A {K) — a for all K. a e {0, 1}* and all tt. The union 
^U^ 2 = (V, Q) of classes ( l >[ = (V, Q 1 ) and ( I> 2 = (V, Q 2 ) is defined by having 
Q(n, K, (j)) parse $ as i || <j? for i £ {1, 2} and return Q l ( n, K, <j>*). 

Discussion. In a non-asymptotic treatment, there is no formal line between 
“secure” and “insecure.” This makes it unclear how to rigorously define the sets 
RKA[P]. Lead, accordingly, to pursue an asymptotic treatment, we introduce 
parameter dependence; this allows us to capture constructs in the literature j28l2>j 
where RKDFs are defined over a group that is now parameter-dependent rather 
than fixed. (We note that even in the non-asymptotic case, a treatment like 
ours is needed to capture constructs in |2B| relying on a RSA group defined by 
random primes. This issue is glossed over in j^Sj.) A dividend of our treatment 
is a separation between an RKDF and its encoding, the latter being what an 
adversary actually queries, another issue glossed over in previous work. 
Function families. A function family fFjF = (V , KL. T) consists of a param- 
eter generator, a key generator, and an evaluator, the last deterministic. For 
each k £ N and tt £ ['P(l fc )], the scheme also defines PT decidable and sam- 
pleable sets Dom(7r) and Rng(7r) such that T(n maps elements of Dom(7r) 
to Rng(7r). We assume there are polynomials d. L called the input and output 
lengths, respectively, such that Dom(7r) C {0, l} d ( fc ) and Rng(7r) C (0,l}^ fc ). 
Unless otherwise indicated we assume Rng(7r) = {0, l}h fc ) and 1(h) = w(log (k)) 
and |Dom(7r)| > 2 k for all n £ [P( l fe )] and all k £ N. 
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RKA-PRFs. Let 77 = (V, /C, 7) be a function family as above. Game PRF of 
Fig.0 is associated to 77 and a RKA specification P> that is compatible with 
77 ■ Let Adv^'^(fc) equal 2 Pr[PRF' 4 => true] — 1 when the game has input 
\ k . We say 77 is <AR,KA secure if this advantage function is negligible. 
Identity key fingerprints. An identity key fingerprint function with vector 
length v(-) for 77 = (V. 1C, T) is an algorithm IKfp that for every 7r £ [P( l fe )] 
and every k £ N returns, on input n, a u(fc)-vector over Dom(7r) all of whose 
coordinates are distinct. Game IDFP of Fig. 0 is associated to 77 and a RKA 
specification P = (V, Q) that is compatible with 77 ■ Let Adv^ p A <p (k) equal 
Pr[IDFP A => true] when the game has input l k . We say 77 is f F-IDFP secure if 
this advantage function is negligible. 

The key fingerprint notion of [3J can be seen as allowing statistical disam- 
biguation of any pair of keys. They showed that the Naor-Reingold PRF NR 
had such a fingerprint, but in general, it does not seem common. Interestingly, 
their own <ARKA PRFs, which build on NR, are not known to have such a fin- 
gerprint. Our relaxation can be seen as asking for computational disambiguation 
of the original key from other keys, and ends up being much easier to achieve. 
In particular, such fingerprints exist for the constructs of jH|. This is a conse- 
quence of something more general, namely that any <£-RKA secure PRF with 
large enough range is <?-IDFP secure if P> is claw-free, using any point in the 
domain functioning as the fingerprint. This is formalized by Proposition [I] below, 
with a proof in g|. <?-IDFP security for the constructs of (3 follows as the A 
they use is claw-free. 

Proposition 1. Suppose P is claw-free and 77 is a P-RKA secure PRF with 
associated domain Dom(-) and super-polynomial size range Rng(-). Let IKfp be 
any algorithm that on input n returns a 1-vector over Dom(7r). Then 77 is 
P-IDFP secure. 

In practice <£-IDFP security seems like a mild assumption even when P is not 
claw-free. A vector of a few, distinct domain points ought to be a suitable fin- 
gerprint for any practical blockcipher. This does not follow from a standard 
assumption on it such as PRF, but is consistent with properties assumed by 
cryptanalysts and can be proved in the ideal cipher model. 

<£-IDFP security of given <AR,KA PRFs, even for non-claw-free P, will be 
important in the constructions underlying our containment results, and we make 
it a default assumption on a <5- RKA PRF. The above shows that this is a mild 
and reasonable assumption. 

RKA sets. We say that an RKA specification P = (V, Q) is achievable for 
the primitive PRF if there exists a A- RKA and 'Z'-IDFP secure PRF that is 
compatible with P. We let RKA [PRF] be the set of all P that are achievable for 

PRF. 

What can attacks modify? We view the system as a whole as having the 
following components: algorithms (code), parameters, public keys (if any) and 
secret keys. Of these, our convention is that only secret keys are subject to RKAs. 
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proc Initialize 
7f <— s V(l k ) 


K <-* /C(tt) ; b <- 
Return n 


! PRG 

{ 0 , 1 } 


proc Initialize / 


n i*j 

K /C(tt) ; To 
Return 7r 


ICR 

S(*,K) 


proc Gen(</>) /PRG 
if' 

If K ' = _L then return _L 
If T[if'] = T then 
If b = 1 then T[if'] ^ g(n, K') 
Else T[K'] <-» (0, l} r(fc) 

Return T\K'\ 

proc Finalize(6') / PRG 
Return (6 = &') 


proc Gen(0) /ICR 
K' <- 

If K' = _L then return _L 

If ((5 = To) A (if ^ if')) then Win <- true 
Return S' 

proc Finalize() / ICR 
Return Win 


Fig. 3. Games defining <ARKA security and identity-collision-resistance for PRG 

VRg = {V,K.,g,r) 


This is not the only possible model, nor is it necessarily the most realistic if con- 
sidering tampering attacks in practice, but it is a clear and interesting one with 
some justification. Parameters are systemwide, meaning fixed beforehand and 
independent of users, and may, in an implementation, be part of the algorithm 
code. Public keys are accompanied by certificates under a CA public key that 
is in the parameters, so if parameters are safe, so are public keys. This leaves 
secret keys as the main target. One consequence of this is that in a public key 
setting the attack is only on the holder of the secret key, meaning the signer for 
signatures and the receiver for encryption, while in the symmetric setting, both 
sender and receiver are under attack, making this setting more complicated. 

We could consider attacks on public keys, but these are effectively attacks 
on parameters. Furthermore the only way for them to succeed is to modify the 
CA public key in the parameters in a rather special way, replacing it by some 
other key under which the attack produces signatures for the modified public 
key. “Natural” attacks caused by fault-injection are unlikely to do this, further 
supporting our convention of confining attacks to secret keys. 

5 ICR PRGs: A Tool in Our Constructions 

We will be using #-RKA PRFs to build <f-R,KA instances of many other primi- 
tives. An important technical difficulty will be to avoid assuming <P is claw-free. 
A tool we introduce and use for this purpose is a $-RKA PRG satisfying a weak 
form of collision-resistance under RKA that we call <?-ICR. In this section we 
define this primitive and show how to achieve it based on a d'-R.KA and f i>-IDFP 
secure PRF. 

RKA PRGs. A PRG = {V. JC, g, r) is specified by a parameter generation 
algorithm, a key generation algorithm, an evaluation algorithm and an output 
length r(-). Game PRG of Fig. [3 is associated to t P%Q and an RKA specification 
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$ that is compatible with FRQ. Let Adv^g A k ) = 2Pr[PRG A => true] — 1 
when the game has input l k . We say FRg is <AR,KA secure if this advantage 
function is negligible for all A. 

We clarify that unlike a normal PRG m . we don’t require a <5- RKA PRG 
to be length extending, meaning that outputs need not be longer than inputs. 
If one does want a length extending <6- RKA PRG (we won’t) one can get it by 
applying a normal-secure PRG to the output of a given <£-RKA PRG. 

ICR. We define and use a weak form of collision-resistance for PRGs which 
requires that the adversary be unable to find 0 so that t P 7Tt( j > (K) ± K yet 
= G(K). Game ICR of Fig. [3 is associated to FR§ and a RKA spec- 
ification that is compatible with FRQ. Let Ad c <p (k) equal 2 Pr[ICR 6 => 
true] — 1 when the game has input l fc . We say FRQ is <6- ICR, (Identity-Collision- 
Resistant) secure if this advantage function is negligible. 

Does RKA security imply ICR security? At first glance it would seem 
that if a PRG FRQ = (V, K,, G, r) is <AR,KA secure then it is also <£-ICR secure. 
Indeed, suppose an adversary has <p such that ^ K yet G($n,<t>(K)) = 

G{K). Let it query Rq <— GEN(id) and R\ <— Gen(o) and return 1 if Rq = R\ 
and 0 otherwise. In the real ( b = 1) case Rq , R.i are equal but in the random 
(6 = 0) case they would appear very unlikely to be equal, so that that this 
strategy would appear to have high advantage in breaking the 'f-R.KA security 
of FRQ. The catch is in our starting assumption, which made it appear that 
^ K yet G{$-k,4>(K)) = G(K) was an absolute fact, true both for 
6 = 0 and 6 = 1. If <6^^ (A) and K are different in the real game but equal in 
the random game, the adversary sees an output collision in both cases and its 
advantage disappears. Can this actually happen? It can, and indeed the claim 
(that <6- RKA security implies <6- ICR, security) is actually false: 

Proposition 2. Suppose there exists a normal-secure PRG FRQ = (V, /C, G- r) 
with r(-) = v(log(-)). Then there exists a PRG FRQ = (V,K,,G,r) and a class 
$ such that FRQ is ( P-RKA secure but FRQ is not P-ICR, secure. 

A proof is in 0 . Briefly, the constructed PRG FRQ adds a redundant bit to the 
seed of FRQ so that seeds differing only in their first bits yield the same outputs, 
meaning create non-trivial collisions. But is crafted so that that its members 
deviate from the identity function only in the real game, so that output collisions 
appear just as often in both cases but in the real game they are non-trivial while 
in the random game they are trivial. 

Construction. We saw above that not all <6- RKA PRGs are <6- ICR, secure. 
Our containments will rely crucially on ones that are. We obtain them from 
'f'-RKA PRFs that have key fingerprints for the identity function: 

Proposition 3. Let jFjF = {P ■ A, F) be a ( P-RKA PRF with output length l. 
Let IKfp be a <P-IDFP secure identity key fingerprint function for with vector 
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proc Initialize / IBE 


proc Initialize / Sig 
7r^*P(l fc ); M <— 0 
(vk, sk) ^ K( tt) 
Return (71, vk) 


n <-» V(l k ) ; (mpk, msk) M(tt) 
6 <— » {0, 1} ; id* <— _L ; 5 <— 0 
Return (71, mpfc) 
proc KD(0, id) // IBE 


If sA;' = _L then return _L 
If sk' = sk then M <— M U {m} 

Return <7 <— * S ( 7 r, sk' , m) 

proc FlNALlZE(m, a) / Sig 

Return ((V(7r, vk , m, a) = 1) A (m g M)) 

proc Finalize(6') / IBE 

Return (6 = 6') 


proc Sign (4>,m) / Sig 


sk 1 <— ^ n ^(sk) 


msk' <— $^^(msk) 

If msk' = _L then return _L 
If msA;' = msk then S <— S U {id} 

If (msA/ = msk) A (id = id*) then return 
Return dk * /C( 7r, mpfc, msA;', id) 
proc LR(id, mo, mi) /IBE 


If | mo | ^ | mi | then return _L 
id* <— id ; If id* £ S then return _L 
Return C <— * £ ( 71 , mpA:, id, mb) 
proc Finalize(6') / IBE 


Return ((6 = 6') A (id* <£ S)) 


Fig. 4. Games defining d>-RKA security for primitives Sig, IBE 


length v. Let r = Iv and let K,, on input n || w, return JC(ir). Define PRG TtRfij = 
(P||IKfp ,K,,g,r)via 

II w, K) = P(n, K, w[l]) || ••• || Tin, K, wflwB) • 

Then ‘PRQ is <I>-RKA secure and &-ICR secure. 

6 Relations 

We first present a containment and a non-containment related to Sig. Then we 
turn to IBE-related results. Other results can be found in j2j 

Signatures. A signature scheme ( DS = (V, /C, S, V) is specified as usual by its 
parameter generation, key generation, signing and verifying algorithms. Game 
Sig of Fig. 0 is associated to (DS and an RKA specification # that is compatible 
with T>S. Let Adv^T^(fc) = PrISig" 4 => true] when the game has input l k . 
We say (DS is <2>-RKA secure if this advantage function is negligible. Normal 
security of a signature scheme is recovered by considering ( P that contains only 
the identity function. One feature of the definition worth highlighting is the way 
we decide which messages are not legitimate forgeries. They are the ones signed 
with the real key sk, which means that oracle Sign needs to check when a related 
key equals the real one and record the corresponding message, which is a source 
of challenges in reduction-based proofs. 

Attacks. In ^ we present an attack, adapted from jtill 9j . that shows that 
there are some (quite simple) ( P such that no signature scheme is <?-R,KA secure, 
meaning $ £ RKA[Sig]. This indicates that the set RKA[Sig] is non-trivial. 
Similar attacks can be presented for other primitives. 
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From $-RKA PRGs to <£-RKA signatures. We will prove containments 
of the form RKA[PRF] C RKA[P] by proving RKA[PRG] C RKA[P] and 
exploiting the fact that RKA[PRF] C RKA[PRG]. 

We start with a $-RKA PRG TCRQ = (V, K, Q, r) and a normal-secure signa- 
ture scheme CDS = (V,K.,S,V) such that r(-) is the number of coins used by 1C. 
We now build another signature scheme CDS = (V || V, K! , S, V) as follows: 

1. Parameters: Parameters for CDS are the concatenation n || W of independently 
generated parameters for TCRg and CDS. 

2. Keys: Pick a random seed K <— $ IC(tt) and let (vk, sk ) <— K,( W; G(K)) be the 
result of generating verifying and signing keys with coins G(K). The new 
signing key is K and the verifying key remains vk. (Key sk is discarded.) 

3. Signing: To sign message m with signing key K, recompute (vk, sk) <— /C(7f; 
G(K)) and then sign m under S using sk. 

4 . Verifying: Verify that er is a base scheme signature of m under vk using V. 
Signature scheme CDS remains compatible with L> since the parameters of ( £%Q 
prefix those of CDS- 

We want CDS to inherit the f J>-RKA security of ( S%Q. In fact we will show 
more, namely that CDS is {i> U <£ C )-RKA secure where <P C is the class of constant 
RKDFs associated to <d>. The intuition is deceptively simple. A signing query 
cf,m of an adversary A attacking ( DS results in a signature of m under what 
is effectively a fresh signing key, since it is generated using coins G(cj>(K)) that 
are computationally independent of G(K) due to the assumed <£-RKA security 
of the PRG. These can accordingly be simulated without access to K. On the 
other hand, signing queries in which (j) is a constant function may be directly 
simulated. The first difficulty is that the adversary attacking the d>-RKA security 
of TCRjj that we must build needs to know when A succeeds, and for this it needs 
to know when a derived seed equals the real one, and it is unclear how to do this 
without knowing the real seed. The second difficulty is that a queried constant 
might equal the key. We take an incremental approach to showing how these 
difficulties are resolved, beginning by assuming is claw-free, which makes the 
first difficulty vanish: 

Theorem 4. Let signature scheme CDS = (V || V, 1C ,S, V) be constructed as 
above from &-RKA PRG ‘ISRCf = (V, K.,G,r) and normal-secure signature scheme 
DS = (V,fC,S,V) and assume is claw-free. Then CDS is ((?U <L C )-RKA secure. 

A proof of Theorem 0] is in , and the intuition was discussed in Section |2I 
This result, however, is weaker than we would like, for, as we have already 
said, many interesting classes are not claw-free. Also, this result fails to prove 
RKA[PRF] C RKA[Sig] since the first set may contain that are not claw-free. 
To address this we show that the claw-freeness assumption on L can be replaced 
by the assumption that T'Rjj is <£-ICR secure: 

Theorem 5. Let signature scheme CDS = (V || V,1C',S, V) be constructed as 
above from <I>-R,KA secure and <P-ICR, secure PRG TCRQ = (V,K.,G,r) and 
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normal-secure signature scheme IDS = (V, JC. S, V) . Then CDS is (<P U P\)-RKA 
secure. 

A proof of Theorem 0 is in 0. Proposition 0 says we can get the PRGs we want 
from <£-RKA PRFs so Theorem 0 establishes the containment RKA[PRF] C 
RKA[Sig]. (Theorem 0 only established RKA[PRF] nCFC RKA[Sig] n CF.) 

Our construction has the advantage that the verification process as well as the 
form of the signatures and public key are unchanged. This means it has minimal 
impact on software, making it easier to deploy than a totally new scheme. Signing 
in the scheme now involves evaluation of a ^-RKA-PRG but this can be made 
cheap via an AES-based instantiation. However, signing also involves running 
the key-generation algorithm /C of the base scheme which might be expensive. 

This construction also meets a stronger notion of <£-RKA security where the 
adversary cannot even forge a signature relative to the public keys associated 
with the derived secret keys. We elaborate on this in 0. 

Some base signature schemes lend themselves naturally and directly to im- 
munization against RKAs via <£-RKA PRFs. This is true for the binary-tree, 
one-time signature based scheme discussed in eu, where the secret key is al- 
ready that of a PRF. If the latter is <£-RKA secure we can show the signature 
scheme (unmodified) is too, and moreover also meets the strong version of the 
definition alluded to above. See 0. 

Separating <£-RKA PRFs from <5- RKA signatures. Having just shown 
that RKA[PRF] C RKA[Sig] it is natural to ask whether the converse is true 
as well, meaning whether the sets are equal. The answer is no, so RKA[Sig] % 
RKA[PRF]. The interpretation is that there exist P such that there exist <F-RKA 
secure signatures, but there are no f J>-RKA PRFs. An example is when P = <P C 
is the set of constant functions. Theorem 0 implies that there exists a <Z> C -RKA 
secure signature scheme by setting P = 0 in the theorem, so that need only 
be a normal-secure PRG. But attacks from 0 show that no PRF can be <2> C -RKA 
secure. Thus, this separation is quite easily obtained. In 0 we present others 
which are more interesting. This separation motivates finding other avenues to 
$-RKA signatures. Below we will show that IBE is one such avenue. 

IBE. Our specification of an IBE scheme I BE = (V. A4, 1C. £. V) adds a param- 
eter generation algorithm V that given l fc returns parameters 7r on which the 
masterkey generation algorithm M runs to produce the master public key mpk 
and master secret key msk. The rest is as usual except that algorithms get 7r as an 
additional input. Game IBE of Fig.0is associated to IBE and an RKA specifica- 
tion P> = (V, Q ) that is compatible with IBE. An adversary is allowed only one 
query to LR. Let Adv 1 / ^ r ^ a 4i (fc) equal 2 Pr[IBE A => true] — 1 when the game has 
input l fc . We say IBE is <£-RKA secure if this advantage function is negligible. 
Here the feature of the definition worth remarking on is that the adversary loses if 
it ever issues a query to KD that contains the challenge identity and derives the 
same master secret key. In 0 we show (1) that the standard Naor transform pre- 
serves RKA security and thus RKA[IBE] C RKA[Sig], and (2) that the BCHK 
transform 03 preserves RKA security and thus RKA[IBE] C RKA[PKE-CCA]. 
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Other relations. The remaining results and definitions from Fig. Q are pre- 
sented in 
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Abstract. We present an accelerated School- type point-counting algo- 
rithm for curves of genus 2 equipped with an efficiently computable real 
multiplication endomorphism. Our new algorithm reduces the complex- 
ity of genus 2 pointy counting over a finite field F r/ of large characteristic 
from 0(log 8 q) to 0(log 5 q). Using our algorithm we compute a 256-bit 
prime-order Jacobian, suitable for cryptographic applications, and also 
the order of a 1024-bit Jacobian. 

1 Introduction 

Cryptosystems based on curves of genus 2 offer per-bit security and efficiency com- 
parable with elliptic curve cryptosystems. However, many of the computational 
problems related to creating secure instances of genus 2 cryptosystems are con- 
siderably more difficult than their elliptic curve analogues. Point counting — or, 
from a cryptographic point of view, computing the cardinality of a cryptographic 
group — offers a good example of this disparity, at least for curves defined over 
large prime fields. Indeed, while computing the order of a cryptographic-sized el- 
liptic curve with the Schoof-Elkies-Atkin algorithm is now routine, computing 
the order of a comparable genus 2 Jacobian requires a significant computational 
effort (BE);- 

In this article we describe a number of improvements to the classical Schoof- 
Pila algorithm for genus 2 curves with explicit and efficient real multiplication 
(RM). For explicit RM curves over F p , we reduce the complexity of Schoof-Pila 
from 0(log 8 p) to 0(log 5 p). We applied a first implementation of our algorithms 
to find prime-order Jacobians over 128-bit fields (comparable to prime-order 
elliptic curves over 256-bit fields, and therefore suitable for contemporary cryp- 
tographic applications). Going further, we were able to compute the order of 
an RM Jacobian over a 512-bit prime field, far beyond the cryptographic range. 

D.H. Lee and X. Wang (Eds.): ASIACRYPT 2011, LNCS 7073, pp. 504 j519| 2011. 
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(For comparison, the previous record computation in genus 2 was over a 128-bit 
field.) 

While these RM curves are special, they are not “too special”. Every ordi- 
nary genus 2 Jacobian over a finite field has RM; our special requirement is that 
this RM be known in advance and efficiently computable. The moduli of curves 
with RM by a fixed ring form 2-dimensional subvarieties (Humbert surfaces) in 
the 3-dimensional moduli space of all genus 2 curves. We can generate random 
curves with the specified RM by choosing random points on an explicit model 
of the corresponding Humbert surface CH In comparison with elliptic curves, 
for which the moduli space is one-dimensional, this still gives an additional de- 
gree of freedom in the random curve selection. To generate random curves with 
efficiently computable RM, we choose random curves from some known one and 
two-parameter families (see SQ. 

Curves with efficiently computable RM have an additional benefit in cryptog- 
raphy: the efficient endomorphism can be used to accelerate scalar multiplication 
on the Jacobian, yielding faster encryption and decryption [1 211 til2()| . The RM 
formulae are also compatible with fast arithmetic based on theta functions [ZJ . 

2 Conventional Point Counting for Genus 2 Curves 

Let C be a curve of genus 2 over a finite field F f; of odd characteristic, defined 
by an affine model y 2 = f(x), where / is a squarefree polynomial of degree 5 or 
6 over F (; . Let Jc be the Jacobian of C: we assume Jc is ordinary and absolutely 
simple. Points on Jc correspond to degree-0 divisor classes on C; we use the 
Mumford representation for divisor classes together with the usual Cantor-style 
composition and reduction algorithms for divisor class arithmetic jtil.'tj . Multipli- 
cation by £ on Jc is denoted by [£], and its kernel by Jc [£} ■ More generally, if q> is 
an endomorphism of Jc then Je[<A] = ker(d>), and if 5 is a set of endomorphisms 
then JctS 1 ] denotes the intersection of kerfy;) for <f> in S. 

2.1 The Characteristic Polynomial of Frobenius 

We let 7r denote the Frobenius endomorphism of Jc, with Rosati dual tv (so 
7777 ^ = [q] ) . The characteristic polynomial of n has the form 

X (T) = T 4 - Sl T 3 + (s 2 + 2q) T 2 - q Sl T + q 2 , (1) 

where si and S 2 are integers (our s 2 is a translation of the standard definition). 
The polynomial y(T) determines the cardinality of Jc (F g k ) for all k : in partic- 
ular, #J c (F g ) = x(l)- Determining x(T) is called the point counting problem. 

The polynomial x(T) is a Weil polynomial: all of its complex roots lie on the 
circle \z\ = yfq. This implies the Weil bounds 

\s\\<^y/q and |s 2 | < 4g. 

The possible values of (si, S 2 ) do not fill the whole rectangle specified by the 
Weil bounds: Ruck [HU Theorem 1.1] shows that si and s 2 satisfy 

s? - 4 s 2 > 0 and s 2 + 4g > 2151]-^. 


506 P. Gaudry, D. Kohel, and B. Smith 



2.2 The Classical Schoof— Pila Algorithm for Genus 2 Curves 

The objective of point counting is to compute x(T), or equivalently the tuple of 
integers (si, S 2 ). When the characteristic of F, is large, the conventional approach 
is to apply the Schoof-Pila algorithm as far as is practical, before passing to a 
baby-step giant-step algorithm if necessary (see H2.r>» . 

The strategy of Schoof’s algorithm and its generalizations is to compute the 
polynomials Xe(T) = x(T) mod (£) for sufficiently many primes (or prime pow- 
ers) £ to reconstruct x(T) using the Chinese Remainder Theorem (CRT). Since 
Xe(T) is the characteristic polynomial of n restricted to Jc [£] (see [13 Proposition 
2.1]), we have 

Xi{n){D) = 0 for all D in Jc [£] ■ 

Conversely, to compute Xi(T) we let D be a generic element of Jc [£} (as in '12.. 21 
below), compute the three points 

(tt 2 + [q]f(D), (ir 2 + [q])n(D), and 7 t 2 (D), 

and then search for the coefficients (.Si, s-j) of Xe(T) in (Z/.ffl) 2 for which the 
linear relation 

(tt 2 + \q])\D) ~ [Si] (tt 2 + [q})n(D) + [s 2 \ n\D) = 0 (2) 

holds. If the minimal polynomial of n on Jc [£] is a proper divisor of y^(T) — which 
occurs for at most a finite number of i dividing disc(y) — then the polynomial so 
determined is not unique, but X^(T) can be determined by deducing the correct 
multiplicities of its factors. 

Once we have computed Xe{T) for sufficiently many £, we reconstruct x(T) 
using the CRT. The Weil and Ruck bounds together with a weak version of the 
prime number theorem tell us how many £ are required: Pila notes in [J3 §1] that 
the set of 0(log q) primes £ < 21 log q will suffice. We analyse the complexity of 
the classical Schoof-Pila algorithm in ' G. ll 

2.3 Endomorphisms and Generic Kernel Elements 

We now recall how to construct an effective version of a generic ^-torsion element. 
We present it in a slightly more general setting, so that we can use this ingredient 
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in the subsequent RM-specific algorithm: we compute a generic element of the 
kernel of some endomorphism 0 of Jc (the classical algorithm takes 0 = [£]). 


Definition 1 . Fix an embedding P i— > Dp ofC in Jc- We say that an endomor- 
phism 0 of Jc is explicit if we can effectively compute polynomials dp,di,d 2 ,ep,ei, 
and e 2 such that if P = (xp, yp ) is a generic point of C, then the Mumford rep- 
resentation of <p{Dp) is given by 


4>{D P ) = x 2 


dijxp) ^ | d 0 (xp) 
d 2 (x P ) d 2 (xp)’ 


y-yp 


f ei (x P ) ep(xp) 
\e 2 (xp) X e 2 (xp) 


))• ( 3 ) 


The dp, d\ , d 2 , ep, e\, and e 2 are called the 0-division polynomials. 


In the case 0 = [£], the [£] -division polynomials are the ^-division polynomials of 
Cantor |I] . The ^-division polynomials depend on the choice of embedding P >—> 
Dp; we will make this choice explicit when computing the 0-division polynomials 
for each of our families in m Note that if 0 is an explicit endomorphism, then 
we can use 0 (extending Z-linearly) to evaluate 0(D) for general divisor classes 
D in Jc- 

To compute a generic element of Jc [0] , we generalize the approach of jB| (which 
computes generic elements of Je [•£]). The resulting algorithm is essentially the 
same as in 0 §3] (except for the parasite computation step, which we omit) with 
0-division polynomials replacing ^-division polynomials, so we will only briefly 
sketch it here. 

Let D = (x 2 + a\X + ap,y — (b\X + bp)) be (the Mumford representation of) a 
generic point of Jc- We want to compute a triangular ideal F in F g [ai , «o, b\,bp] 
vanishing on the nonzero elements of Jc[0]- The element D equals D( Xi yi ) + 
D( X2i!/2 ), where (xi,yi) and (x 2 ,y 2 ) are generic points of C. To find a triangular 
system of relations on the a* and 6, such that D is in Jc[0] we solve for aq, y\- 
x 2 , and y 2 in 

using 0 and resultants computed with the evaluation-interpolation technique 
of [HI §3.1]. We then resymmetrize as in [HI §3.2] to express the result in terms of 
the ai and b t . We can now compute with a “generic” element 
(x 2 + aix + ap, y — (bix + bp)) of Je[0] by reducing the coefficients modulo 1^ 
after each operation. 

Following the complexity analysis of [HI §3.5], we can compute a triangular 
representation for I $ in 0((5' 2 M((5) log S + M(d 2 ) log 5) field operations, where 5 
is the maximum among the degrees of the 0-division polynomials, and M(d) is 
the number of operations required to multiply polynomials of degree d over F g . 
Using asymptotically fast multiplication algorithms, we can therefore compute 
in 0(S 3 ) field operations. The degree of Jj is in 0(S 2 ); with this triangular 
representation, each multiplication modulo costs 0(6 2 ) field operations. 


2.4 Complexity of Classical Schoof— Pila Point Counting 
Proposition 1 . The complexity of the classical Schoof-Pila algorithm for 
curve of genus 2 over F g is in 0((logg , ) s ). 
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Proof. To determine y(T), we need to compute Xe(T) for 0(log q) primes £ in 
0(log q). To compute Xi(T), we must first compute the ^-division polynomials, 
which have degrees in 0(£ 2 ). We then compute the kernel ideal If, the total cost 
is in 0(£ 6 ) field operations, according to ! 12..'il The cost of checking ® against 
a generic element of Jc[£] decomposes into the cost of computing Frobenius 
images of the generic element in 0(£ 4 log q) and of finding the matching pair 
(si , S' 2 ) in 0(£ 5 ) field operations. So the total complexity for computing Xe(T) 
is in 0(£ 4 (£ 2 + logg)) field operations. In terms of bit operations, for each l 
bounded by O(logg), we compute Xi(T) in time 0((log q) 7 ). The result follows 
from the addition of these costs for all the 0(log q) different £. □ 


2.5 Baby-Step Giant-Step Algorithms 

In practice, computing xt(T) with classical Schoof-Pila becomes impractical for 
large values of £. The usual approach is to carry out the Schoof-Pila algorithm 
to the extent possible, obtaining congruences for si and S 2 modulo some integer 
M, before completing the calculation using a generic group algorithm such as 
baby-step giant-step (BSGS). Our BSGS algorithm of choice is the low-memory 
parallelized variant of the Matsuo-Chao-Tsuji algorithm mm- 

The Weil bounds imply that the search space of candidates for (si,^) is 
in 0(q 3 /% so a pure BSGS approach finds (si,S2) in time and space 0(g 3 / 4 ). 
However, when we apply BSGS after a partial Schoof-Pila computation, we 
have a congruence for (si,S2) modulo M. If M < 8^/q, then the size of the 
search space is reduced to 0(q 3 / 2 /M 2 ), and the complexity for finding ($1,82) 
is reduced to 0(g 3//4 /M). For larger M, the value of si is fully determined; the 
problem is reduced to a one-dimensional search space of size 0(q/M), for which 
the complexity is 0{yJq/M). 

3 Point Counting in Genus 2 with Real Multiplication 

By assumption, Jc is ordinary and simple, so x(T) is an irreducible polynomial 
defining a quartic CM-field with real quadratic subfield Q(\/z\). We say that 
Jc (and C) has real multiplication (RM) by Q(\/z\ ). For a randomly selected 
curve, A is in 0(g); but in the sequel we consider families of curves with RM by 
Q(\/2) for small A (= 5 or 8), admitting an explicit (in the sense of Definition^) 
endomorphism <p such that 

1 [<f>] = Q{VA) n End( J c ) (4) 

(that is, Z[0] is the full real subring of End( Jc)), and 
disc (Z[$) = A. 

We presume that the trace Tr (0) and norm N such that <j> 2 — Tr(<j))(f»+'N(<f)) = 
0, are known. We also suppose that <p is efficient, in the following sense: 
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Definition 2. We say that an explicit endomorphism <p is efficiently computable 
if evaluating <p at points of Jc( F g ) requires only 0(1) field operations (comparable 
to a few group operations in Jc )■ In practice, this means that the (p-division 
polynomials have small degree. 

The existence of an efficiently computable < j> and knowledge of A allows us 
to make significant improvements to each stage of the Schoof-Pila algorithm. 
Briefly: in '13.21 we use (p to simphfy the testing procedure for each £: in '13.31 we 
show that when i sphts in Z[0], we can use <j) to obtain a radical reduction in 
complexity for computing y^(T); and in ' 12.41 we show that knowing an effective 
(f) allows us to use many fewer primes l. 


3.1 The RM Characteristic Polynomial 

Let ip = 7r + 7T* ; we consider Z [ip], a subring of the real quadratic subring of 
End( Jc). The characteristic polynomial of ip is the real Weil polynomial 

£(T) = T 2 - SiT+s 2 ; (5) 

the discriminant of Z [ip] is A 0 = s\ — 4 s 2 - The analogue of Ruck’s bounds for 
(si, Z\ 0 ) is 

(M - 4Vg) 2 > A 0 = si -4s 2 > 0. (6) 

Equation 0) implies that Z [ip\ is contained in Z[i p\, so there exist integers m 
and n such that 

ip = m + ncp. (7) 

Both si and S 2 are determined by m and n: we have 

si = Tr(tp) = 2m + nTr(cp) and S 2 = N(-0) = (s? — n 2 A)/4. (8) 

In fact n is the conductor of Z [ip] in Z[<p] up to sign: |n| = [Z[0] : Z [^]], and 
hence 

A 0 = disc(Z[^>]) = s 2 — 4 s 2 = n 2 A 
The square root of the bounds in © gives bounds on Si and n: 

4^9- |si| > = \n\sfA > 0; 

In particular, |si| < 4 y/q and \n\ < A^fqjA. Applying (0, we have the bounds 
\m\ < 2(|Tr(0)| + \fA)yJq/A and \n\ < Ay/q/A. (9) 


Both |m| and \n\ are in 0(^/q). 
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3.2 An Efficiently Computable RM Relation 

We can use our efficiently computable endomorphism 0 to replace the relation 
of 0 with a more efficiently computable alternative. Multiplying 0 through 
by 7r, we have 

ipTT = tt 2 + [g] = mn + n(jm. 

We can therefore compute fh = m mod £ and n = n mod £ by letting D be a 
generic ^-torsion point, computing the three points 

( 7 r 2 + [g])(D), t t(D), and 

and then searching for the fh and h in Z/t?Z such that 

(tt 2 + [q])(D) - [ m]ir(D ) - [n]^r(D) = 0 (10) 

holds; we can find such an fh and h in 0(1) group operations. 

Solving (ITUIl rather than 0 has several advantages. First, computing ( 7 r 2 + 
[g])(D), 7 r(-D) , and (fm{D ) requires only two apphcations of Frobenius, instead 
of the four required to compute ( 7 r 2 + [g]) 2 (.D), ( 7 r 2 + [g]) 7 r(.D), and 7 r 2 (.D) (and 
Frobenius applications are costly in practice). Moreover, either s 2 needs to be 
determined in O(g), or else the value of n in 0 leaves a sign ambiguity for each 
prime £, because only n 2 mod £ can be deduced from (si, s 2 ). In contrast, (ITUIl 
determines n directly. 


3.3 Exploiting Split Primes in Q(\/zA) 

Let Z[(j>] C End( Jc) be an RM order in Q(<j>) — Q(-\/Z). Asymptotically, half of 
all primes £ split: (£) = pip 2 in Z [(f)], where pi + p 2 = ( 1 ) (and this carries over 
to prime powers £). This factorization gives a decomposition of the ^-torsion 

JeM = JclPl] ® ^c[p2]- 

In particular, any ^-torsion point D can be uniquely expressed as a sum D = 
D\ + D 2 where Di is in Je[pi]. 

According to the Cohen-Lenstra heuristics 0 more than 75% of RM fields 
have class number 1; in each of the explicit RM families in 0 t h e order Z [cj>\ 
has class number 1. All ideals are principal in such an order, so we may find a 
generator for each of the ideals p,;. The following lemma shows that we can find 
a generator which is not too large. 

Lemma 1. If p is a principal ideal of norm £ in a real quadratic order Z[<j>], then 
there exists an effectively computable generator of p with coefficients in 

Proof. Let cc be a generator of p, and e a fundamental unit of Z[ 0 ], Let 7 ^ 
and 7 h- > y 2 be the two embeddings of Z [<f>] in K, indexed so that |cci| > |a 2 | and 
|ei| > 1 (replacing e with e _1 if necessary). Then R = log(|£i|) is the regulator 


Counting Points on Genus 2 Curves with Real Multiplication 511 


of Z [</>]. Set f3 = s k a, where k = [log(|ai/V^|)/-R]; then /3 = a + bcf is a new 
generator for p such that 

1 log(lAMl) 1 

2 - R ~ 2 

These bounds imply that + /ft 1 = |2o + 6Tr(</>)| and |/ft — /ft[ = \byfA\ are 
bounded by 2 e R l 7 ‘\fi. Since Tr (</>), A and R are fixed constants, \a\ and 6 are 
in 0(VJ). The “effective” part of the result follows from classical algorithms for 
quadratic fields. □ 

Lemma 2. Let Jc be the Jacobian of a genus 2 curve over a finite field with an 
efficiently computable RM endomorphism </>. There exists an algorithm which, 
given a principal ideal p of norm i in Z \cp], computes an explicit generator a of 
p and the a-division polynomials in 0(t) field operations. 

Proof. By Lemma QJ we can compute a generator a = [a] + [b]<j> with a and b 
in 0{Vt). The [a]- and [6] -division polynomials have degrees in 0(£), and can 
be determined in 0(£) field operations. The division polynomials for the sum 
a = [a] + [b\(j> require one sum and one application of </>; and since <j> is efficiently 
computable, this increases the division polynomial degrees and computing time 
by at most a constant factor. □ 

We can now state the main theorem for RM point counting. 

Theorem 1. There exists an algorithm for the point counting problem in a fam- 
ily of genus 2 curves with efficiently computable RM of class number 1, whose 
complexity is in 0((logg) 5 ). 

Proof. Let Jc be a Jacobian in a family with efficiently computable RM by Z [<£]. 
Suppose that l is prime, (£) = pip 2 in Z[<i], and that the p,; are principal. By 
Lemma |2| we can compute representative a-division polynomials for pi and p 2 , 
and hence generic points A in Jc[pi], in time 0(£). 

We recall that (I I 1 It is the homomorphic image under n of the equation 

i,{D) - [fh](D) - [h]<P{D) = 0. 

When applied to Dj in Jc [pi] , the endomorphisms if and <p act as elements of 
Z \<f>]/pi — Z/^Z. Moreover Xi = <f> mod p,- is known, and it remains to determine 
yi = ip mod pj by means of the discrete logarithm 

ip(Di) = [ft] (A) = [rh + nXi](Di) 

in the cyclic group (A) — Z/fZ. The application of n transports this discrete 
logarithm problem to that of solving for ft in 

D'l = [ftp', 

where D\ = tt(A) and D'{ = {n 2 + [q])(Di). By the CRT, from (ft, ft) in (Z/ffl) 2 
we recover y in Z[<j>]/(£), from which we solve for (m, n) in (Z/^Z) 2 such that 

y = fh-\- hcj) 6 Z[<£]/(A 

The values of (ft, ft) are then recovered from Q . 
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The ring Z [<j>] is fixed, so as log q goes to infinity we find that 50% of all primes 
£ split in Z[0] by the Chebotarev density theorem. It therefore suffices to consider 
split primes in 0(log q). In comparison with the conventional algorithm presented 
in '12 . 21 we reduce from computation modulo the ideal for Jc[£] of degree in 
0(£ 4 ), to computation modulo the ideals for Jc[pi\ of degree in 0(£ 2 ). This 
means a reduction from 0(£ 4 (£ 2 + log q)) to 0(£ 2 (£ + log q )) field operations for 
the determination of each %^(T), giving the stated reduction in total complexity 
from 0((log<?) 8 ) to 0((log g) 5 ). □ 

Remark 1. Computing (to, n) instead of (si, s 2 ) allows us to reduce the number 
of primes £ to be considered by about a half, since by 0) their product needs 
to be in 0(^/q) instead of 0{q). While this changes only the constant in the 
asymptotic complexity of the algorithm, it yields a significant improvement in 
practice. 

Remark 2. If the class number h of Z [(j>\ is not 1, and if (£) = p ipa where the pj are 
not principal, then we may apply Lemma |2| to a larger proportion of small ideals 
by using a small complementary ideal (c) = C 1 C 2 such that the c,p t are principal. 
Moreover, if (to, n) is known modulo c, this can be used to reduce the discrete log 
problem modulo £. Again, since a fixed positive density l/2/i of primes are both 
split and principal, this does not affect the asymptotic complexity. We observe 
that the first discriminant with h > 1 is A = 65, well beyond the current range 
for which an explicit RM construction is currently known. 

3.4 Shrinking the BSGS Search Space 

In the conventional Schoof-Pila context, we need to find si in 0(^/q) and s% 
in O(q). However, (Ql and the effective form of (ITUI) (valid for all D in Jc ) 
replace (si,S 2 ) with the tuple (to, n) of integers in 0{^/q). This reduces the 
search space size from 0(q 3 / 2 ) to 0(q), so a BSGS strategy can find (to, n) 
(which determines (si,S 2 )) in time and space 0(^/q), compared with 0(g 3 / 4 ) 
when searching directly for (si, S 2 ). 

As in the general case, if one knows (to, n) modulo an integer M, then the area 
of the search rectangle is reduced by a factor of M 2 , so we find the tuple (to, n) in 
0(^/q/M) group operations. In contrast to the general case of <12 . 51 since m and n 
have the same order of magnitude, the speed-up is always by a factor of M. 

4 Examples of Families of Curves with Explicit RM 

We now exhibit some families of curves and efficient RM endomorphisms that 
can be used as sources of inputs to our algorithm. 

4.1 Correspondences and Endomorphisms 

To give a concrete representation for endomorphisms of Jc, we use correspon- 
dences: that is, divisors on the surface CxC. Suppose that 1Z is a curve on CxC, 
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and let 7Ti : TZ — > C and tt 2 ■ TZ — ► C be the restrictions to TZ of the natural pro- 
jections from CxC onto its first and second factors. The pullback homomorphism 
(7Ti)* : Pic(C) — ► Pic (7?.) is defined by 

( 7r l)*([ 5Z_ npP ])=[ J2_ np 

PeC(W g ) PeC(W q ) Qew- 1 ^) 

where the preimages Q are counted with the appropriate multiplicities (we 
can always choose divisor class representatives so that each 7r _1 (P) is zero- 
dimensional). The pushforward homomorphism ( 772 )* : Pic (72.) — > Pic(C) is de- 
fined by 

M*([ ^2 n Q <?]) = [ ^ n Q n 2 (Q)]. 

Qe n(W q ) QeM I,) 

Note that (7ri)* maps Pic"(C) into Pic < -" deg7ri ^(P) and ( 772 )* maps Pic” (72) into 
Pic”(C) for all n. Hence ( 772 )* o (7ri)* maps Pic°(C) into Pic°(C), so we have an 
induced endomorphism 

<t> = ( tt 2 )* O ( tti )* : Jc -> Jc- 

We write xi, y\ and x 2 , y 2 for the coordinates on the first and second factors of 
CxC, respectively (so 7T* (aq . y-y , x 2 , y 2 ) = [xy, Hi))- In our examples, the corre- 
spondence TZ will be defined by two equations: 

TZ = V(A(x 1 ,x 2 ),B(x 1 ,y 1 ,X2,y2)) ■ 

On the level of divisors, the image of a generic point P = (x,p, yp) of C (that is, 
a generic prime divisor) under the endomorphism <f> is given by 

(t> ■ ( x P ,y P ) 1 — * V(A(x P ,x),B(xp,y P ,x,y)) . 

Using the relations y\ = f(xp ) and y 2 = f(x) (and the fact that correspondences 
cut out by principal ideals induce the zero homomorphism), we can easily replace 
A and B with Cantor-reducible generators to derive the Mumford representation 
of 4>(P), and thus the (^division polynomials. 

4.2 A 1-Dimensional Family with RM by Z[(l + V§)/2] 

Let t be a free parameter, and suppose that q is not a power of 5. Let Ct be the 
family of curves of genus 2 over ¥ q considered by Tautz, Top, and Verberkmoes 
in Cl 1 Example 3.5], defined by 

Ct ■ y 2 = x 5 — 5x 3 + 5 x + t. 

Let 75 = (5 + CjT 1 5 where (5 is a 5th root of unity in F g . Let <Pt be the endomor- 
phism induced by the (constant) family of correspondences 

TZ t = V (x\ + x\ - T 5 X 1 X 2 + t| — 4 , 2 /i — y 2 ) cC T xC T - 
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(Note that TZt and <f > t are defined over F 9 (t 5 ), which is equal to F f; if and only 
if q ^ ±2 mod 5.) The family Ct has a unique point P^ at infinity, which we 
can use to define an embedding of Ct in Jc T by 

P = ( Xp,y p ) I — » Dp := [(P) - (Poo)] <-*• (x -x P ,y- y P ). 

The 0T-di vision polynomials with respect to this embedding are 

d% — 1, di = —T 5 X, do = x 2 + t 2 — 4, e 2 = 1, e\ = 0, eo = 1. 

Proposition 2. The minimal polynomial of cpT is T 2 + T — 1: that is, (f>T acts 
as multiplication by — (1 + -v/5)/2 on Jc T - A prime l splits into two principal 
ideals in Z[^t] */ and only if l = ±1 mod 5. 

Proof. The first claim is proven in (23 §3.5]. More directly, if P and Q are generic 
points of Ct, then on the level of divisors we find 

(4 + )((p) - m = (p) - (Q ) + div ■ 

Hence Z[</> t] is isomorphic to the ring of integers of Q(\/5). The primes £ splitting 
in Q(-\/5) are precisely those congruent to ±1 modulo 5; and since Q(\/5) has 
class number 1, the primes over £ are principal. □ 

The Igusa invariants of Ct, viewed as a point in weighted projective space, are 
(140 : 550 : 20(32f 2 — 3) : 25(896t 2 — 3109) : 64(t 2 — 4) 2 ); in particular, Ct has a 
one-dimensional image in the moduli space of curves of genus 2. The Jacobian of 
the curve with the same defining equation over Q(i) is absolutely simple (cf. TT21 
Remark 15]). 

4.3 A 2-Dimensional Family with RM by Z[(l + s/5) /2] 

Let s and t be free parameters. Consider the family of genus 2 curves defined by 
Cu-y 2 = Fh(x), where 

Ph(x) = sx 5 — (2s + t)x 4 + (s 2 + 3s + 2t — l)x 3 — (3 s+t — 3)x 2 + (s — 3)x + 1. 

This family is essentially due to Humbert; it is equal to the family of Mestre |1 41 
§2.1] with (U,T) = (s,t), and the family of Wilson (23 Proposition 3.4.1] with 
(A, B ) = (s, — t — 3s + 3). The family has a full 2-dimensional image in the moduli 
space of genus 2 curves. 

Let Ph be the family of correspondences on Ch x Ch defined by 

Uh = V (x\x\ + s(s - l)x!x 2 - s 2 (x x - x 2 ) + s 2 , yi - y 2 ) ; 

let 0 h be the induced endomorphism. There is a unique point P a a at infinity on 
Ch, which we can use to define an embedding of Ch in Jc H by 

P = (x P ,y P ) I — % Dp := [(P) - (Poo)] (x -x P ,y- y P ). 

The f/)H-di vision polynomials with respect to this embedding are 

d 2 = x 2 , di = (s 2 — s)x + s 2 , do = —s 2 x+s 2 , e 2 = l, e\ = 0, eo = 1. 
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Proposition 3. The minimal polynomial of 0h is T 2 + T—1: that is, 0 h acts as 
multipliction by — (1 + \/5)/2 on Jc H . A prime £ splits into two principal ideals 
in Z[0 h] if and only if £ = ±1 mod 5. 

Proof. The first assertion is 1 1 ll Proposition 2] with n = 5; the rest of the proof 
is exactly as for Proposition |2I □ 


4.4 A 2-Dimensional Family with RM by Z[y/2 ] 

For an example with A = 8, we present a twisted and reparametrized version of 
a construction due to Mestre m Let s and t be free parameters, let v(s) and 
n(s) be the rational functions 

s 2 + 2 4s(s 4 + 4) 

v = v{s ) := ^_ and n = n(s):= (g2 _ 2)3 , 

and let Cm be the family of curves defined by 

Cm '■ y 2 = F M (x) := ( vx - l)(a; - v){x A - tx 2 + vt— 1). 


The family of correspondences on Cm x Cm defined by 


11m 


V 


( x\x\ -v 2 {x\ +x%) + 1, 

\y 1 y 2 - n{x\ +X%-t){x-LX-z-v{xi+X 2 ) + l) 


induces an endomorphism 0 m of Jc M - 

The family Cm has two points at infinity, P+ and P^, which are generically 
only defined over a quadratic extension of F g (s, i). Let = (P+) + (P^:) denote 

the divisor at infinity. We can use the rational Weierstrass point P v = (v, 0) on 
Cm to define an embedding of Cm in Jc M by 


P = (x P , y P ) D P := [(P) + (P„) - Doo] 

<-> ({x - x P )(x - v),y - ( X - i')) 

(appropriate composition and reduction algorithms for divisor class arithmetic 
on genus 2 curves with an even-degree model, such as Cm, appear in jO]). The 
0M-di vision polynomials with respect to this embedding are 

d 2 = x 2 - v 2 , e 2 = (x 2 - v 2 )F m (x), 

di =0, ei = n( x — v)(x 4 — tx 2 + tv 2 — 1), 

do = —v 2 x 2 + 1, eo = n(vx — l)(x A — tx 2 + tv 2 — 1). 


Proposition 4. The minimal polynomial of 0m is T 2 — 2; that is, 0m acts as 
multiplication by \/2 on Jc M . A prime t splits into two principal ideals in Z[0m] 
if and only if £ = ±1 mod 8. 
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Proof. Let P and Q be generic points of Cm- An elementary but lengthy calcu- 
lation shows that on the level of divisors 

- m = 2 (P) - 2 (Q) + div , 

so 0 m([-D]) = 2 [£>] for all [D] in Pic°(CM)- Hence = [2], and Z[0 m] is iso- 
morphic to the maximal order of Q(%/2). The primes l splitting in Q(%/2) are 
precisely those congruent to ±1 modulo 8; further, Q(v / 2) has class number 1, 
so the primes over t are principal. □ 

Remark 3. As noted above, this construction is a twisted reparametrization of 
a family of isogenies described by Mestre in O §2.1]. Let a± and a 2 be the 
roots of T 2 — tT + v 2 t — 1 in ¥ q (v,t). Mestre’s curves C and C are equal (over 
F g (n, ai, 02 )) to our Cm and its quadratic twist by A = 2(v 2 — l)(v 2 + 1) 2 = (2n) 2 , 
respectively. We may specialize the proofs in to show that Cm has a two- 
dimensional image in the moduli space of curves of genus 2, and that the Jacobian 
of the curve with the same defining equation over Q(s,t) is absolutely simple. 
Constructions of curves with RM by Z[\/2] are further investigated in Bending’s 
thesis p. 

Remark 4- Our algorithms should be readily adaptable to work with Kummer 
surfaces instead of Jacobians. In the notation of jJJ, the Rummers with param- 
eters ( a,b,c,d ) satisfying b 2 = a 2 — c 2 — cP have RM by Z[\/2], which can be 
made explicit as follows: the doubling algorithm decomposes into two identical 
steps, since (A : B : C : D) = (a : b : c : d), and the components after one step 
are the coordinates of a Kummer point. This step therefore defines an efficiently 
computable endomorphism which squares to give multiplication by 2. 

5 Numerical Experiments 

We implemented our algorithm in C-Hf* using the NTL library m ■ For non- 
critical steps, including computations in quadratic fields, we used Magma |2| for 
simplicity. With this implementation, determining %(T) for a curve over a 128-bit 
prime field takes approximately 3 hours on one core of a Core2 processor at 2.83 
GHz. This provides a proof of concept rather than an optimized implementation. 


5.1 Cryptographic Curve Generation 

When looking for cryptographic curves we used an early-abort strategy, switching 
to another curve as soon as either the order of the Jacobian or its twist cannot 
be prime. Using our adapted Schoof algorithm, we can guarantee that the group 
orders are not divisible by any prime that splits in the real field up to the CRT 
bound used. In fact, any prime that divides the group order of a curve having 
RM by the maximal order of Q(\/A) must either be a split (or ramified) prime, 
or divide it with multiplicity 2. As a consequence, the early abort strategy works 
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much better than in the classical Schoof algorithm, because it suffices to test 
half the number of primes up to our CRT bound. 

We ran a search for a secure curve over a prime field of 128 bits, using a CRT 
bound of 131. Our series of computations frequently aborted early, and resulted 
in 245 curves for which y(T) was fully determined, and for which neither the 
group order nor its twist was divisible by a prime less than 131. Together with 
the twists this provided 490 group orders, of which 27 were prime and therefore 
suitable for cryptographic use. We give here the data for one of these curves, 
that was furthermore twist-secure: the order of both the Jacobian and its twist 
are prime. 

Let q = 2 128 + 573, and let C/F q be the curve in the family Ct of Tl.21 spe- 
cialized at t = 75146620714142230387068843744286456025. The characteristic 
polynomial \(T) is determined by 

si = -26279773936397091867, 

s 2 = -90827064182152428161138708787412643439, 

giving prime group orders 

#J c {F q ) = 115792089237316195432513528685912298808 
995809621534164533135283195301868637471, 

#Jc(¥ q ) = 115792089237316195414628441331463517678 
650820031857370801365706066289379517451, 

where C denotes the quadratic twist of C. Correctness of the orders is easily 
verified on random points in the Jacobians. 

5.2 A Kilobit Jacobian 

Let q be the prime 2 512 + 1273, and consider the curve over F g from the family 
Ct of ^4.21 specialized at 

t = 2908566633378727243799826112991980174977453300368095776223 
2569868073752702720144714779198828456042697008202708167215 
32434975921085316560590832659122351278. 

This value of t was randomly chosen, and carries no special structure. We com- 
puted the values of the pair (si mod £, n mod l) for this curve for each split prime 
l up to 419; this was enough to uniquely determine the true value of (si, n) using 
the CRT. The numerical data for the curve follows: 

Am 5 

si = -10535684568225216385772683270554282199378670073368228748 
7810402851346035223080 

n = -37786020778198256317368570028183842800473749792142072230 
993549001035093288492 
S 2 = (s? - n 2 A )/ 4 

= 990287025215436155679872249605061232893936642355960654938 
008045777052233348340624693986425546428828954551752076384 
428888704295617466043679591527916629020 
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The order of the Jacobian is therefore 
N= (1 + q) 2 — Si(l + q) + S 2 

= 179769313486231590772930519078902473361797697894230657273 
430081157732675805502375737059489561441845417204171807809 
294449627634528012273648053238189262589020748518180898888 
687577372373289203253158846463934629657544938945248034686 
681123456817063106485440844869387396665859422186636442258 
712684177900105119005520. 

The total runtime for this computation was about 80 days on a single core of a 
Core 2 clocked at 2.83 GHz. In practice, we use the inherent parallelism of the 
algorithm, running one prime i on each available core. 

We did not compute the characteristic polynomial modulo small prime pow- 
ers (as in HD!), nor did we use BSGS to deduce the result from partial modular 
information as in J.'i. ll (indeed, we were more interested in measuring the be- 
haviour of our algorithm for large values of €). These improvements with an 
exponential-complexity nature bring much less than in the classical point count- 
ing algorithms, since they have to be balanced with a polynomial-time algorithm 
with a lower degree. For this example, we estimate that BSGS and small prime 
powers could have saved a factor of about 2 in the total runtime. 
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Abstract. Two fundamental building blocks of secure two-party com- 
putation are oblivious transfer and bit commitment. While there exist 
unconditionally secure implementations of oblivious transfer from noisy 
correlations or channels that achieve constant rates, similar constructions 
are not known for bit commitment. 

In this paper, we show that any protocol that implements n instances 
of bit commitment with an error of at most 2~ k needs at least Q{kn) 
instances of a given resource such as oblivious transfer or a noisy channel. 

This implies in particular that it is impossible to achieve a constant rate. 

We then show that it is possible to circumvent the above lower bound 
by restricting the way in which the bit commitments can be opened. We 
present a protocol that achieves a constant rate in the special case where 
only a constant number of instances can be opened, which is optimal. 

Our protocol implements these restricted bit commitments from string 
commitments and is universally composable. The protocol provides sig- 
nificant speed-up over individual commitments in situations where re- 
stricted commitments are sufficient. 

Keywords: secure two-party computation, bit commitment, string com- 
mitment, oblivious transfer, noisy channel, information theory. 

1 Introduction 

Commitment schemes 0 are one of the basic building blocks of two-party com- 
putation m- Commitments can be used in coin-flipping fTJ . zero-knowledge 
proofs pPIZnj . zero-knowledge arguments 0 or as a tool in general two-party 
computation protocols to prevent malicious players from actively cheating (see 
for example mi). 

A commitment scheme has two phases. In the commit phase, the sender has 
to decide on a value b. After the commit phase the value b is fixed and cannot be 
changed, while the receiver still does not get any information about its value. At 
a later time, the players may execute the second phase, called the open phase, 
where the bit b is revealed to the receiver. The scheme is called a bit commitment 
if b is only one bit, and it is called a string commitment if b is a longer bit string. 

Bit commitments can be implemented from a wide variety of information- 
theoretic primitives i i i iiwwtu . There are protocols which implement a single 
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string commitment from noisy channels at a constant rate, meaning that the 
size of the string grows linearly with the number of instances of noisy channels 
used, which is essentially optimal m- Protocols which implement individual 
bit commitments at a constant rate, however, are not known. In jd( )j it has 
been shown that in any perfectly correct and perfectly hiding non-interactive 
bit commitment scheme from distributed randomness with a security of 2~ k , the 
size of the randomness given to the players must be at least f2(k). 

Another primitive that is of fundamental importance in two-party computa- 
tion is oblivious transfer (OT) f5til52ll9| . Oblivious transfer can be implemented 
from noisy channels j uirji i n. 1 11 . cryptogates [2B1 and weak variants of noisy 
channels 1 1 til 1 ^14(1 1 41 1 . While all these protocols require Q(k) instances of a 
given primitive to implement a single OT with a security of 2~ k , it has been 
shown in |2512fil25EIj that there are more efficient protocols if many OTs are 
implemented at once. In the semi-honest model and in some cases also in the 
malicious model, it is possible to implement OT at a constant rate, which means 
n instances of OT can be implemented from just 0(n) instances of the given 
primitive, if n is big enough compared to the security parameter. It is, there- 
fore, possible to achieve the lower bound for such reductions jl 71215 915 7| up to a 
constant factor. In the following we address the question whether such efficient 
protocols also exist in the case of bit commitment. 


1.1 Contribution 

We show that — in contrast to implementations of OT — no constant rate re- 
duction of bit commitment to distributed randomness can exist. More precisely, 
in Theorem ^ we show that if a protocol implements n bit commitments with 
a security of at least 2~ k from distributed randomness, then the mutual infor- 
mation between the sender’s and the receiver’s randomness must be almost kn 
or larger. Our proof is built on the insight that any such protocol must reveal 
at least k bits of information about the receiver’s randomness for each commit- 
ted bit that is opened. This implies that we need at least £2{kn) instances of 
oblivious transfer or noisy channels to implement n bit commitments. Thus, ex- 
ecuting for each bit commitment a protocol that uses O(k) instances is optimal. 
In combination with the lower bound from m, this bound can be generalized 
to string commitments: any protocol that implements n string commitments of 
length £ needs at least I2(n(£ + k)) bits of distributed randomness. 

However, in many applications of bit commitments the full strength of the 
commitment scheme is not required. For example in the famous zero-knowledge 
protocol of j2Dj , it is only required that a constant number of committed bits can 
be opened. We show that restricting the ways in which the bit commitments can 
be opened enables us to implement more efficient schemes that circumvent our 
impossibility resultQ We introduce a new concept that we call bit commitments 
with restricted openings. It allows a sender to commit to N bits, from which he 

1 Note that for the specific case of zero-knowledge proofs other, more efficient, tech- 
niques are known m- 
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may open up to r < N one by one. After that, he may only open all the remaining 
bits at once. Our protocol uses so-called cover-free families, and implements 
bit commitments with restricted openings from string commitments. Together 
with a simple construction of a cover-free family from 1 1 M] . our results imply 
that for any prime power q, we can implement N = q 2 bit commitments from 
which r can be opened from (r + 1 )q string commitments of length q. (See 
Corollary El for the more general statement.) Together with the protocol from 
m , we get a constant-rate bit commitment protocol from noisy channels, for any 
constant r. As bit commitments with restricted openings are strictly stronger 
than a string commitment, this is optimal. Together with another construction 
of a cover- free family from 0 , it is possible to implement N = 2 n ( n / r 1 bit 
commitments from n string commitments. We prove our protocol secure in the 
Universal Composability model (UC) {Ej. 

We will prove our lower bounds for independent bit commitments in Section |21 
In Section E3 we introduce commitments with restricted openings and give reduc- 
tions to string commitments. Note that Section 0 can be read without reading 
Section |21 

1.2 Notation 

In the following, the probability distribution of a random variable X is denoted 
by Px(x). The joint distribution Pxy(x,y) defines a conditional distribution 
Px\y{x, y) = PxY(x.y)/ Priv) for all y with Py (y) > 0. The statistical distance 
between the distributions Px and Px> over the domain X is defined as 

6{P x ,Px ■) ~ max | Pr [£>(*) = 1] - Pr [D{X') = 1] | , 

where we maximize over all (inefficient) distinguishers D : X —> {0, 1}. We use 
the notation [n\ for the set n}. For a sequence x = (x \, . . . , x n ) and 

t £ [n], we denote by x* the subsequence (rci , . . . , x t ). 

1.3 Information Theory 

We will use the following tools from information theory in our proofs. We assume 
that the reader is familiar with the basic concepts of information theory, and 
refer to f0i22l for more details. The conditional Shannon entropy of X given Y 
is defined aqj 


R(X | Y) :=~Y^ p XY (*, V) log Px\y{x, y) ■ 


We use the notation 


All logarithi 


h(jj) = -plog(p) - (1 - p) log(l - p) 
binary, and we use the convention that 0 • log 0 = 0. 
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for the binary entropy function, i.e., h(p) is the entropy of the Bernoulli distribu- 
tior@ with parameter p. The mutual information of X and Y given Z is defined 
as 

Ipf; Y | Z) = H(X | Z) - H(X | YZ) . 

The mutual information satisfies the following chain rule 

l(X 1 ...X n ;Y) = fyi(X i ;Y\X 1 ...X i _ 1 ). 

The Kullback-Leibler divergence or relative entropy of two distributions Px and 
Qx on X is defined as 

D(P*|| Q x )=Y J Px{x)\og^L. 

The conditional divergence of two distributions Pxy and Qxy on X x y is 
defined as 

D(Py|* || Qy\x) = E *M*)D(JV|X=x II Qy\x= x ) • 

xex 

The binary divergence of two probabilities p and q is defined as the divergence 
of the Bernoulli distributions with parameters p and q, i.e., 

d(p || q) = plog - + (1 — p) log ^ — - . 

q 1 ~q 

The divergence (and hence also the conditional divergence) is always non-negative. 
Furthermore, we have the following chain rule 

D (Pxy || Qxy ) = D (P x || Qx) + D(Py,* || Q Y \ X ) . (1) 

This implies 

Y>(P X P Y \x II PxQy\x ) = D(Py|x II Qy\x)- ( 2 ) 

Let Qx and P x be two distributions over the inputs to the same channel 
Py\x- Then the divergence between the outputs Py = Y) x PxPy \x and Qy = 
QxPy\x of the channel is not greater than the divergence between the in- 
puts, i.e., the divergence satisfies the data-processing inequality 

D (Px II Qx) > D (Py || Qy) ■ (3) 

Furthermore, for random variables X, Y and Z distributed according to P X yz 
1(X-,Y\Z)=D(P XI yz\\Px\z) ■ (4) 

Let Px\Y=y = Px\Y=y,z=z for all y,z (or P z \Y= y = Pz\Y= y ,x=x for all y,z, 
which is equivalent) . Then we say that X, Y and Z form a Markov-chain, denoted 
by X ++ Y " Z. If W <-► XZ ^ Y, then 

I{X: Y | ZW) < I(X ; Y \ Z) . (5) 

3 The Bernoulli distribution with parameter p £ [0, 1] takes on the value 1 with prob- 
ability p and 0 otherwise. 
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2 Impossibility Results 

2.1 Model and Security Definition 

We will consider the following model: a trusted third party holds random vari- 
ables ( U , V) with a joint distribution Puv and sends U to the sender and V 
to the receiver. The sender receives an input bit b £ {0,1}. In the commit 
phase, the players exchange messages in several rounds. Let all the messages 
exchanged be M, which is a randomized function of (U, V, b). In the open phase, 
the sender sends b together with a value Di to the receiver. The receiver then 
sends a message E\ to the receiver, who replies with a message and so 
on. Let N := (Di, E\, D 2 , E 2 , . ■ . , Et—i , D t ) be the total communication in the 
open phase. (We assume that the number of rounds in the open phase is upper 
bounded by a constant t. By padding the protocol with empty rounds we can 
thus assume without loss of generality that the protocol uses t rounds in every 
execution.) Finally, the receiver accepts or rejects, which we model by a random- 
ized function F(b. V. , M, N ) that outputs 1 for accept and 0 for reject. Let the 
distribution in the honest setting be PuvMN\B=b- We define three parameters 
that quantify the security for the sender and the receiver, respectively, and the 
correctness of the protocol. 

— s-correct: Pr[F(6, V,M,N) = 1] > 1 — e. 

— 1 3-hiding : S(P V m\b=o> Pvm\b=i) < P- 

— ' y-binding : For any b £ {0,1} and for any malicious sender that is honest 
in the commit phase on input b and tries to open 1 — 6, we have Pr[F(l — 
b, V, M, N') = 1] < 7, where N' is the communication between the malicious 
sender and the honest receiver in the open phase. 

Note that the above security conditions are not sufficient to prove the security of 
a protocofl, but any sensible security definition for commitments implies these 
conditions. Since we only use the definition to prove the non-existence of certain 
protocols, this makes our result stronger. 


2.2 Lower Bound for Multiple Bit Commitments 

In the following we prove a lower bound on the mutual information between 
the randomness of the sender and the randomness of the receiver in any bit 
commitment protocol. First, we show the following technical lemma. 

Lemma 1. If a protocol that implements bit commitment from distributed ran- 
domness (U, V ) is 'y-binding, e-correct and [3-hiding, then for b £ {0, 1} 

d(l - e || 7 + P) < Y. i ( £> *5 V | MD i ~ 1 E i ~ 1 , B = b). (6) 


4 To prove the security of a protocol one had to consider for example a malicious 
sender in the commit phase. 
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Proof. Let b £ {0, 1} and 6 := 1 — 6. Assume that the sender in the commit 
phase honestly commits to 6. If she honestly opens 6 in the open phase, the 
communication can be modeled by a channel Pde\vm (that may depend on 6) 
and the resulting distribution is 

PdEV M\B= b = PdE\V mPv M\B= b j 

We have omitted U as it does not play a role in the following arguments. The 
correctness property implies that an honest receiver accepts values drawn from 
this distribution with probability at least 1 — e. Let the sender commit to 6 
and then try to open 6 by sampling her messages according to the distributions 
Pd 1 | m and for 2 < i < t. (Note that the sender does not know V 

and, therefore, chooses her messages independently of V.) The communication 
in the opening phase can be modeled by a channel 


QdE\VM '■= Pdi\mPei\VMDi ■ ■ ■ PD t \MD t ~ 1 E t — 1 ■ 


The binding property implies that the receiver accepts values distributed accord- 
ing to P VM \B=bQDE\VM with probability at most 7. 6(P VM \B=b, Pv M \B=b) < P 
implies that 

$(PvM\B=bQDE\VM, PvM\B=bQ DE\V m) < Pi 
and hence values drawn from the distribution PyM\B=bQDE\VM are accepted 
with probability at most 7 + /?. Note that the bit indicating acceptance can also 
be modeled by a channel Pf\devm- Thus, we can apply the data-processing 
inequality © to bound d(l — e || 7 + 13 ) . Using the chain rule © and the non- 
negativity of the relative entropy, we have (we omit conditioning on B = b in 
the following) 

d(l — £ || 7 + P) < D( PvmPde\vm II PvmQde\vm) 

= D(Pde\vm || Qde\vm) 

= D(-Ppj VM-D *- 1 ^- 1 || PDi\MD i ~ 1 E i ~ 1 ) 
i= 1 

t-1 

+ ^^D(P £ .|y M £)i_Ei-i || Pe^VMDIE*- 1 ) 

= D(-Ppj | VMD i - x B i - x II PD i \MD i - 1 E i ~ 1 ) 
i= 1 

= Y,I(Di;V\ MD' _1 £ i_1 ) 


□ 

The following lemma follows easily from Theorem 2.1 in m We will use it to 
bound the right-hand side of © in the following. 
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Lemma 2. Let e = /3 = 7 = 2 k . Then, for k>3, we have 

The following lemma generalizes the lower bounds on the size of the randomness 
for perfectly correct and perfectly hiding non-interactive schemes from PH] to 
arbitrary protocols. However, it also provides a more powerful result, namely a 
lower bound on the information that the communication in the open phase must 
reveal about the receiver’s randomness V for any protocol that implements bit 
commitment from a shared distribution Puv- The lower bound is essentially k 
if the error of the protocol is at most 2~ k . This stronger statement will allow 
us in the following to prove that there are no constant rate reductions of bit 
commitment to distributed randomness, the main result of this section. 

Lemma 3. Let k > 3. Then any 2 ~ k -secure bit commitment must have for 

be{ 0,1} 

1(77; V | M, B = b) - 1(77; V | UM, B = b) 

ofc-2 _ 9 

= 1(17; V | M, B = b) - I (17; V \ MN, B = b) > {k - 2) • ^ _ 2 _ . 

Proof. Again, we omit conditioning on B = b in the following. Consider a 
protocol over t rounds in the open phase, i.e., the whole communication is 
N = ( D,E ) = Since D t <-► UMD i ~ 1 E i ~ 1 ^ V, we have 

I(A; v I UMD i ~ 1 E i ~ 1 ) = 0. Hence, 

l(NU; V | M) = 1(17; V\M) + J2 V \ UMD i E i ~ l ) . 

i=l 

Furthermore, from Ei VMD l E l ~ 1 U and inequality 0 follows that for 
all i 

I (A; V I MD i E i ~ 1 ) > I (Ei- V I UMD i E i ~ 1 ) . 

Hence, we have 

1(77; V I M) = 5^1 (Ei; V | MD i E i ~ 1 ) + ^I(A; V \ MD i ~ 1 E i ~ 1 ) 

> 5^1 (A; v I UMD i E i ~ 1 ) + 5^I(A; v I MD i ^ 1 E t ~ t ) 

and 


I(C7; V | MN) = I(JVT7; V \ M) — 1(77; 17 | M) 

= 1(17; V\M)+J2 1 (A; V | UMD i E i ~ l ) - 1(77; V | M) 

< I(A y I M) - 5^I(A; V" I MD i ~ 1 E i ~ 1 ) . 


The statement now follows from Lemma Q and Lemma |21 
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Next, we consider implementations of n individual bit commitments. The sender 
gets input b n = (fei , . . . ,b n ) and commits to all bits at the same time, which 
results in the overall distribution 

PuVM\B"=b n = PuV PM\UV,B"=b n ■ 

after the commit phase. To reveal the *th bit, the sender and the receiver inter- 
act resulting in the transcript iVj. The following theorem says that the mutual 
information between the sender’s randomness U and the receiver’s randomness 
V must be almost kn to implement n bit commitments with an error of at most 
2~ k . The proof uses Lemma 0 to lower bound the information that the sender 
must reveal about V for every bit that he opens. 

Theorem 1. Let k > 3. Then any 2~ k -secure protocol that implements n bit 
commitments from randomness ( U , V) must have for all b n £ {0, 1}" 


I(f/; V) > l(U : V \ M,B = b n ) > n(k - 2) • ^ . 

Proof. Let i £ [n] . We first construct a commitment to a single bit, which will 
allow us to apply the bound from Lemma 01 This bit commitment is defined as 
follows: to commit to the bit b, the players execute the commit phase on input 
6", which is equal to the input bit b on position i and equal to the constant 
b n £ {0, 1}" on all other positions. Additionally, (still as part of the commit 
phase), the sender opens the first i — 1 commitments, which means that the 
messages N l ~ l get exchanged. To open the commitment, the sender opens bit 
i. This bit commitment scheme has at least the same security as the original 
commitment. Thus, Lemma 0 implies that (we omit conditioning on B = b n in 
the following) 

m V | MiW) < 1(1/ ; V I MN 1 - 1 ) - (k - 2) • (7) 

Since this holds for all i, we can apply fljj) repeatedly to get 
0 < 1(17; V | MN n ) 

< I(U; V | MTV"- 1 ) - (k - 2) • 
<I(J7;V|M)-n(fc-2).5^| 


By induction over all rounds of the commit protocol using ® (see, for example, 
122 for a detailed proof) it follows that 

I(U-, V | M) < I(U ; V) . 


This implies the statement. 
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It is possible to securely implement l-out-of-2 bit oblivious transfer ((^)-OT 1 ) 
from randomness distributed according to Puv with 1(17; V) = 1 pill . A binary 
symmetric noisy channel ((p)-BSNC) with crossover probability p can be imple- 
mented from randomness distributed according to Puv with 1(17; V) = 1 — h(p). 
Together with these reductions, Theorem [I] implies that (almost) kn instances 
of (j)-OT 1 or kn/ (1 — h(p)) instances of a (p)-BSNC are needed to implement n 
bit commitments with an error of at most 2“ . 

There exists a universally composable protocol! that implements bit com- 
mitment from 2k instances of (^)-OT 1 with an error of at most 2~ k . Thus, n 
bit commitments can be implemented from 2n{k + log(n)) instances of (^)-OT 1 
with an error of at most n ■ 2~( fc + log( ”)) = 2 _fc using n parallel instances of this 
protocol. Theorem Q] shows that this is optimal up to a factor of 4 if k > log(n). 

2.3 Lower Bounds for Multiple String Commitments 

A string commitment is a generalization of bit commitment where the sender 
may commit to a bit-string of length £ > 1. It is weaker than l instances of 
bit commitment because the sender has to reveal all bits simultaneously. In j2S| 
a lower bound on the conditional entropy of the sender’s randomness U given 
the receiver’s randomness V for any string commitment protocol from random- 
ness (17, 17) has been shown. This bound essentially says that H(17 | 17) must be 
greater than or equal to £ to implement a string commitment of length £. The 
following lemma provides a similar bound for the security definition considered 
here. (The proof can be found in the full version of this paper B3-) 

Lemma 4. If any protocol implements an £-bit string commitment from ran- 
domness (17, 17) is e-correct, (3— hiding and 7 -binding, then 

H(C7 | V) > (1 -e-p- i)£ - h(J3) -h(e + 7). 

Together with the bound of Theorem 0 we obtain the following lower bound on 
the randomness of the sender in any bit commitment protocol. 

Corollary 1. Let k > 3. For any protocol that implements n individual £-bit 
string commitments from randomness (17, 17) with an error of at most 2~ k 

H(17) > n{k + £ - 2) • -3-2 ~ k -nl- 3h{2~ k ). 

2 K ~ 1 — 1 

Proof. Using Lemma 0 and Theorem 0 we get 
H(17) = I (17; V) + H (17 | 17) 

> n(k - 2) • ~ ^ + (1 - 3 • 2 ~ k )n£ - h( 2~ k ) - h(2~ k+1 ) 

>n(k + £- 2) ■ ill -2 , -3-2 ~ k -n£- 3h(2~ k ). 

□ 

5 See for example Claim 33 in the full version of jH] ■ 
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In EJ it has been shown that any non-interactive perfectly hiding and per- 
fectly correct bit commitment protocol from distributed randomness Puv is 
at most I ^-binding. This result implies stronger bounds than Theo- 

rem Q and Lemma 01 for certain reductions. The following lemma provides a 
lower bound on the uncertainty of the sender about the receiver’s random- 
ness for any bit commitment protocol. This lower bound is essentially equal 
to k if the protocol is 2 _fe -secure and implies, in particular, the result from 0. 


Lemma 5. If a protocol that implements bit commitment from randomness 
(U, V ) is ^-binding, e-correct and (3-hiding, then 

d(l - (3 - e || 7) < H(V | UM) < H(V | U). 

where M is the whole communication in the commit phase. If /3 = 7 = e = 2~ k , 
then 

R(V\U)>(k-l)-^^. (8) 

Proof. We have 5(P VM \ B = b , P VM \B=b) — This implies that the distribution 
Pu\VM,B=bPvM\B=b is P - close to P UV M\B=b- Thus, when the sender honestly 
opens b starting from values distributed according P v \ vm,b=1 Pv m | b=& > the re- 
ceiver accepts the resulting values with probability at least 1 — d—e. We consider 
the following attack: the sender honestly commits to b, generates v' by applying 
Pv\UM,B=b and then generates u by applying the channel P[j\v m,b=1 to ( v> ■ rn ) ■ 
When the sender now tries to open b, the binding property guarantees that the 
receiver accepts the resulting values with probability at most 7. Thus, we can 
apply the data-processing inequality © to bound d(l — (3 — e || 7). Let V be a 
copy of V, i.e., a random variable with distribution Pw(y,v) = Pv(v). Using 
the chain rule © , we have 


d(l — 0 — £ \\ j) < H(Pw\UM,B=bPuM\B=b || Pv\UM,B=bPv\UM,B=bPlJM\B=b ) 

< P>(Pv V ’\ UM ,B=b II Pv\UM,B=bPv\UM,B=b) 

= H(U I UM, B = b ) 

< H(V I U). 


Using Lemma |2I this implies inequality ©. 


□ 


Consider a protocol that implements n bit commitment with security of 2 k from 
n' instances of (^)-OT^ . Since (^)-OT^ can be reduced to a shared distribution 
Puv with H(V\U) = 1, Lemma El implies that n' > (k — 1) ■ i- e -> one 

needs, independently of £', almost k instances of OT. 

Together with Theorem Q and Lemma 0 this implies the following lower 
bound on the number of instances of OT needed to implement multiple string 


530 S. Ranellucci et al. 


commitments, which demonstrates that all three lower bounds can be meaningful 
in this scenario. 


Corollary 2. Let k > 3. For any protocol that implements n individual (.-hit 
string commitments with an error of at most 2~ k from n' instances of 


•(fa ->•>-*)- 


3h(2~ k ) (k — 2)n 


2 k ~ 2 - 2 

2 k ~ 2 - 1 ’ 


(k~ 1) 


2 k ~ 1 — 4\ 
2 fe -! - 1 ) 


3 Commitments with Restricted Openings 

In this section, we will present a protocol that implements commitments with 
restricted openings from several instances of string commitment. We will use the 
Universal Composability model jH|, and assume that the reader is familiar with 
it. In our proof, we will only consider static adversaries. For simplicity, we omit 
session IDs and players IDs. 

String Commitment is a functionality that allows the sender to commit to a 
string of n bits, and to reveal the whole string later to the receiver. The receiver 
does not get to know the string before it is opened, and the sender cannot change 
the string once he has sent it. 

Definition 1 (String-Commitment). The functionality F’g C0M behaves as 
follows: 

— Upon input (commit, b) with b £ (0, 1}" from the sender: check that commit 
has not been sent yet. If so, send committed to the receiver and store b. 
Otherwise, ignore the message. 

— Upon input openall from the sender: check if there has been a commit 
message before, and the commitment has not been opened yet. If so, send 
(openall, b) to the receiver and ignore the message otherwise. 

Note that given it is possible to commit to individual bits at different 

times: the sender simply commits to a random string b' = b' n ), and 

whenever he wants to commit to a bit bi for i £ [n], he sends b l © b\ to the 
receiver. On the other hand, it is not possible to open bits at different times 
using jr« 0M . 

Bit commitment is a string commitment of length 1, i.e., JFbcom '■= -^scom- 
We denote n independent bit commitments by (-Fbcom)”- Since (.Fbcqm)” does 
allow bits to be opened at different times, it is strictly stronger than ^ C0M . 
However, as we have seen in the last section, (.Fbcqm)” is also quite expensive to 
implement in terms of resources needed. Therefore, we define a primitive that 
is somewhere between these two: commitments with restricted openings allow a 
sender to commit to n bits, but then he may only open r individual bits of his 
choice one by one. To open more than r bits, he has to open the remaining bits 
all at once. 
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Definition 2 (Commitments with restricted openings). The functionality 
Frcom behaves as follows: 

— Upon input ( commit, b) with b £ {0, 1}" from the sender: check that commit 
has not been sent yet. If so, send committed to the receiver and store b. 
Otherwise, ignore the message. 

— Upon input (open, if with i £ [n] from the sender: check that there has been 
a commit message before, and that i has not been opened yet. Also check that 
the number of opened values so far is smaller than r. If so, send (open, i, 
bi) to the receiver and ignore the message otherwise. 

— Upon input openall from the sender: check if there has been a commit 
message before, and no openall message has been received yet from the 
sender. If so, send (openall, b) to the receiver and ignore the message oth- 
erwise. 

For r = 0 and r = n, commitment with restricted openings are equivalent to 
string commitments and individual bit commitments, respectively: F$ cm = ^rcqm 
and (^bcdm) = F room- 

Our protocol makes use of cover- free families |27ll 8l.35ff)| , which are a gener- 
alization of Sperner sets m ■ Cover-free families are also known as superimposed 
codes and require that no set is covered by the union of r other sets. 

Definition 3. Let X be a set of n elements and let B be a set of subsets of X, 
then ( X , B) is a r-cover-free family r— CFF(A, B) if for any r sets B ix , . . . B ir £ 
B, and any other B £ B, it holds that 

B% 1J B^ . 


Example 1. All subsets of [n] of size s form a cover-free family for r = 1, because 
there is no subset that completely covers any other subset. 

Here is a simple example of a cover-free family for r > 1 given in m 

Example 2 nm Let q be a prime power, and d, r £ N such that rd < q. Let 
X = y x GF(q), where y C GF(q) and >’ = rd + 1. An element B in the 
family B is constructed from a polynomial p(y) := ao + y ■ a± + ... + y d ■ ad of 
degree d where a* £ GF(q) by B := {(y.p(y)) : y £ 3^)}- Two polynomials of 
degree d intersect at most d times. Therefore, any union of r elements B\, . . . B r 
intersects any other element B at most rd < 3^ times, and therefore cannot 
cover B. (X, B) is therefore a r-cover-free family with \X\ = (rd + 1 )q and 
\B\ = q d +\ 

We now give a protocol that implements F^cm from n instances of using 
a r- CFF(A, B), where X = n} and B = {B 1 ,B 2 , ..., B N }. 
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Protocol 1. 

— When the sender receives (commit, b ), he chooses n uniformly chosen 
strings c*, . . . c„ £ {0, 1}^, with the restriction that for all i £ [./V] we 
have 



jeBi 


For j £ [n], the sender sends (commit, Cj) to the jth instances of 
After that he ignores all messages (commit, b'). 

— When the receiver has received committed from all instances of ,F;^ 0M , 
he outputs committed. 

— For the first r times when the sender receives (open,*), he sends 
(open,*) to the receiver and openall to all instances of .F,^ 0M in B. t , 
if they have not been opened yet. After that, he ignores all messages 
(open,*). 

— For the first r times when the receiver receives (open,*) from the 
sender and (open, Cj) from all instances ,F^ 0H in Bi, he outputs (open, 
® ?eB . Cjj). After that, he ignores these messages. 

— When the sender receives openall, he sends openall to the receiver and 
to all instances of .Fg^ 0M . After that, he ignores all openall messages. 

— When the receiver receives openall from the sender and (open, Cj) 

from all instances of he outputs (openall, {b\, , b’ N )), where 

6' := After that, he ignores all messages openall. 


Theorem 2. Given an r— CFF(A,B) where \X\ = n and \B\ = N, Protocol 1 
U C-implements P^com from n instances of Ps C0M - 

Proof. It is easy to verify that the protocol is correct if the two players are 
honest. 

Corrupted sender. First, we consider the case where the comitter is corrupted. 
He may send messages (commit, Cj ) or openall to the instances of and 

message (open,*) or openall to the receiver. 

Our simulator simulates the adversary, and records all messages sent out by 
the adversary. After receiving all messages (commit, Cj ) to the instances of JF^ QH , 
he calculates 6* := ®jeBiCj,i for all * and sends (commit, (bi, . . . , &jv)) to P^cm- 
After receiving (open,*) and all messages openall sent to the instances of JF S ^ 0M 
in Bi, he sends (open,*) to After receiving openall sent to the receiver 

and all instances he sends openall to ^ is not difficult to verify 

that our simulation is perfect, and we get real= ideal. 

Corrupted receiver. Let the receiver be corrupted by the adversary. He receives 
committed and (open,c. ; ) messages from the instances of and messages 

(open,*) and openall from the sender. 
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Our simulator simulates the adversary, and interacts with F^cm and the ad- 
versary. After receiving the committed message from F^mi it sends committed 
from all JF^ om to the adversary. After receiving message (open, j, 6,) from F^fmi 
he first sends (open,*) to the adversary. Then for all instances of Tg^ aM in Bi 
which have not been opened yet, he chooses strings Cj uniformly at random, with 
the restriction that = bi, and sends (open,Cj) from the jth instance 

of F^ m to the adversary. After receiving message (openall, 6) from F^m, he 
first sends openall to the adversary. Then for all instances of ,F^ DM which have 
not been opened yet, he chooses the strings Cj uniformly at random, with the 
restriction that ®jeBiCj,i = bi, and sends (open,Cj) from the jtli instance of 
•^scdm to the adversary. 

To show that this simulation in the ideal setting is identical to the real setting, 
we have to show that they are identical after each step. It is easy to see that 
this is the case before anything has been opened, and after openall has been 
executed. 

•^rcdm allows the sender to open at most r values. Assume that s < r have 
been opened so far. Since B is a r— CFF (A, B), there is at least one instance of 
•^scdm l 11 Bi f° r all the remaining i e [N] that has not been opened yet. Since 
the ith bit of that string is uniform and all the ith bits of the strings in B, add 
up to bi, the bits at the ith position of all the opened strings are uniform and 
independent of each other and of the bit bi. Therefore, the simulated values ab- 
sent to the adversary have the same distribution in the real and in the ideal 
setting. The simulation is again perfect, and we get real= ideal. □ 

Note that in each instance of in Protocol 1, only a subset of the bits are 
actually used. Since they are at fixed positions and both players know where they 
are, they can be removed without changing the properties of the protocol. If we 
use the cover-free family from Example QJ the length of the string commitments 
used can be reduced to Ns/n, and we get the following corollary. 

Corollary 3. For any n > s > 1 and N = (") there exists a protocol that 
UC-implements Fr C q M from (F™ c s J M n ^ ■ 

The protocol is optimal in the length of the strings up to a factor s; otherwise it 
would be possible to implement a string commitment of length bigger than n ■ t 
from n instances of string commitment of length £, which is not possible. Thus, 
we can build N = n(n — l)/2 bit commitments (choosing s = 2), from which 
one can be opened, from n string commitments of length n — 1. When choosing 
s = n/2, we obtain an exponential number of committed bits from n strings, 
since N = ( n " 2 ) > 2”/ 2 . 

If we use the cover- free family of Example 0 then the size of the commitments 
can be reduced by a factor of q because we can let all the bit commitments which 
have different values ao but the same values a-i, .... a,i share the same position in 
the string commitments. We get the following corollary. 

Corollary 4. Let q be a prime power, d < q and N := q d+l . There exists a 
protocol that UC-implements Fr C ’om from ( rd+ l)q instances of 
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This is optimal in the length of the strings up to a factor rd + 1; otherwise it 
would again be possible to implement a string commitment of length bigger than 
n • i from n instances of string commitment of length £, which is not possible. 
Choosing d = 1, we get N = q 2 and n = (r + 1 )q. Thus, there exists a pro- 
tocol that uses (r + l)q string commitments of length q and implements q 1 bit 
commitments from which r can be opened. 

To obtain an exponential number of bit commitments from n string commit- 
ments, we can use Corollary 1 in j^j which gives an explicit construction of a 
t— CFF(T, B) where \X\ < 24 t 2 log (| 13 + 2). Hence, we get the following result. 

Corollary 5. There exists a protocol that from from 24r 2 log (IV + 2) in- 
stances of tFscOM- 

This is close to the optimal efficiency we can expect from Protocol 1, as it has 
been shown in Theorem 1.1 in (23 that t— CFF(T, B) must have 

m>cT-bg|B|, 


for a constant c. 

Our protocols can be generalized in a simple way as follows: let .F^,’ c be 
the same functionality as except that every bit is replaced by a block of 
size c. The sender can open up to r blocks, or all N blocks at the same time. 
It is not difficult to see that if Protocol 1 implements tF^m from n instances of 
•^scdm) then it can be transformed into a protocol that implements from 

n instances of tFscm- 

3.1 Commitments from Noisy Channels at a Constant Rate 

From Corollary 0| with d = 1 in combination with the string commitment pro- 
tocol presented in j2H|, we get the following corollary. 

Corollary 6. For any constant r, there exists a protocol that implements F^ T 0M 
using only 0(n) noisy channels. 

This is optimal up to a constant factor. 

4 Conclusions 

In this work we have shown a strong lower bound for reductions of multiple bit 
commitments to other information theoretic primitives, such as oblivious transfer 
or noisy channels. Our bound shows that every single bit commitment needs at 
least f2(k) instances of the underlying primitive. This makes bit commitments 
often much more costly to implement than oblivious transfer, for example. It 
would be interesting to see whether these results can be generalized to other 
functionalities. 


On the Efficiency of Bit Commitment Reductions 535 


We have presented a protocol that implements bit commitments more effi- 
ciently, when the number of bits that can be opened is restricted. Our protocol 
implements commitments with restricted openings from string commitments. 
We think that for some resources more efficient protocols might be possible by 
implementing them directly, instead of using string commitments as a building 
block. 
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Abstract. In this paper we solve the problem of secure communication 
in multicast graphs, which has been open for over a decade. At Euro- 
crypt ’98, Franklin and Wright initiated the study of secure communica- 
tion against a Byzantine adversary on multicast channels in a neighbor 
network setting. Their model requires node-disjoint and neighbor-disjoint 
paths between a sender and a receiver. This requirement is too strong 
and hence not necessary in the general multicast graph setting. The 
research to find the lower and upper bounds on network connectivity 
for secure communication in multicast graphs has been carried out ever 
since. However, up until this day, there is no tight bound found for any 
level of security. 

We study this problem from a new direction, i.e., we find the necessary 
and sufficient conditions (tight lower and upper bounds) for secure com- 
munication in the general adversary model with adversary structures, 
and then apply the results to the threshold model. Our solution uses 
an extended characterization of the multicast graphs, which is based on 
our observation on the eavesdropping and separating activities of the 
Byzantine adversary. 

Keywords: secure communication, reliable communication, multicast, 
privacy, reliability, adversary structure. 

1 Introduction 

In most communication networks, a sender S and a receiver R are connected 
by unreliable and distrusted channels. The distrust of the channels is because of 
the assumption that there exists an adversary who, with unbounded computa- 
tional power, can control some nodes on these channels. The interplay of network 
connectivity and secure communication between S and R has been studied ex- 
tensively (see, e.g., |2l.'llfll4llT>] ! . 

Secure communication is based on the problem of secure message transmission 
(SMT) between S and R. The aim of SMT is to enable a message to be transmit- 
ted from S to R privately (i.e., the adversary does not learn the message) and 
reliably (i.e., R can output the message correctly). In particular, reliable message 
transmission (RMT) is essential for all transmission protocols, and hence it has 
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been studied exclusively. Normally there are two different measures of security 
or reliability: perfect (i.e., zero probability that the protocol fails to be secure 
or reliable) and almost perfect (i.e., an arbitrarily small probability that the 
protocol fails to be secure or reliable) 0 . 

The traditional studies of RMT and SMT consider a point-to-point network 
setting, where a sending node can transmit a message to a receiving node through 
a channel they choose. In the threshold model (t-bounded), the adversary is able 
to control up to t nodes in a network graph. The result by Dolev et al. 0 shows 
that n > 2t node-disjoint paths are required for RMT and SMT between S and 
R. In 0, Franklin and Wright showed that the connectivity for almost perfect 
security can be reduced by using multicast channels. 

A multicast channel allows a sending node to transmit a message to multiple 
receiving nodes. The study of secure multicast was initiated by Franklin and 
Yung in 0. They used hypergraphs to model multicast networks, and studied 
privacy against a passive adversary (eavesdropper). Goldreich et al. [101 also 
studied multicast networks, but their work is in the full information model, 
which is different to the partial broadcast model in which we are interested. At 
Eurocrypt ’98, Franklin and Wright 0 (see also 0) first studied a Byzantine 
(active) adversary on multicast channels in neighbor networks (defined in 0 ), in 
which a message multicast by a node is received — simultaneously and privately — 
by all its neighbors, where a neighbor is a node that shares a common edge 
with the sending nodeQ They found that with some properties of the multicast 
channels, only n > t node-disjoint paths are needed for almost perfectly RMT 
and SMT. However, their setting is based on a strong assumption, that is, all 
paths between S and R must be neighbor- disjoint (i.e., there do not exist two 
paths that have a common neighbor node). Indeed, such a strong assumption 
may not be necessary in general multicast networks, and hence they gave the 
following open problem: 

... if these n disjoint paths do not have disjoint neighborhood, then an adver- 
sary may be able to foil our protocols with t < n faults by using one fault to 
eavesdrop on two disjoint lines. An obvious direction of further research is to 
characterize secure communication fully in this more general (multicast graph) 
setting. 

Wang and Desmedt m further investigated the problem of secure communica- 
tion in a more general multicast graph setting. They conjectured that a general 
connectivity (weaker than n > t neighbor-disjoint) is the upper bound for achiev- 
ing perfect privacy and almost perfect reliability (see Section 0for more details). 
In another study, Desmedt and Wang 0 (see also extended this result. By 
using examples, they showed that the previously conjectured connectivity of d 
is not necessary, and they also proposed a lower bound for SMT and conjectured 
its tightness. Since it is very difficult to apply the threshold model in general 


For example, in Fig 0a) in Section 0 when a message is multicast by node 2, it will 
be simultaneously received by nodes 1, 3 and 4. A multicast channel does not allow 
node 2 to send a message to node 1 and 3 without node 4 receiving it. 
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multicast graphs, up until this day, there has been no result that gives the 
necessary and sufficient conditions for RMT and SMT in multicast graphs. 

Our contributions. We completely solve the problem of secure communica- 
tion in multicast graphs (neighbor network setting), which has been open and 
studied for over a decade. We view this problem from a new direction. That 
is, our solution is based on two basic ideas: (1) a general graph setting can be 
applied naturally in the general adversary model with adversary structures (see, 
e.g., jl 1118151171 ): (2) a threshold corresponds to a special adversary structure. 
Thus we study multicast graphs in the general adversary model, and then apply 
the results to the threshold model. 

We found that the current adversary structure model is not enough to char- 
acterize multicast graphs. Therefore, in Section 0 we give an extended char- 
acterization of the multicast graphs, which is based on our observation on the 
eavesdropping and separating activities of the adversary on the multicast chan- 
nels. This characterization gives a clearer view on how the message can be 
securely transmitted over multicast graphs. 

With the new characterization, we give the necessary and sufficient conditions 
for RMT and SMT respectively in Sectional and Section E3 Besides proving that 
our conditions imply the lower bounds on network connectivity, we also provide 
message transmission protocols to show that these bounds are tight. 

Finally in Section 0 we use our results in the general adversary model to 
find the necessary and sufficient conditions for RMT and SMT in the threshold 
model. Also by analyzing the previous results, we show how our results explain 
all the examples and prove all the conjectures in the previous work. Our final 
result regarding the tight bounds on network connectivity for RMT and SMT 
in multicast graphs is presented at the end of this paper. 

2 Model 

We abstract away the concrete network structure and model a multicast com- 
munication neighbor network by an undirected graph G(V,E), whose nodes are 
the parties in the network and edges are private and authenticated multicast 
channels. Let S,R £ V, the paths between S and R are not necessarily node- 
disjoint 0 

Let F be a sufficiently large finite field, we assume that MCFis the message 
space from which S chooses messages. Let A be a set, we use \A\ to denote the 
number of elements in A, and we write a £r A to indicate that a is chosen from 
A with respect to uniform distribution. 

In the threshold model, an adversary can control up to t nodes in a graph, and 
hence control up to t node-disjoint paths. In the general adversary model, an 
adversary is characterized by an adversary structure, which is defined as follows 
(see [1 211 1 1 : Given a party set P, an adversary structure A on P is a subset 

2 Throughout the paper we consider only the simple paths. A simple path is a path 

with no repeated nodes. 
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of 2 P such that for any A £ 2 P , if A £ A and A D A! , then A' £ A The 
adversary is able to choose one set A £ A to control. It is straightforward that 
the threshold model is a special case of the general adversary model, because 
a threshold t can be seen as a special adversary structure A such that any set 
A e 2 P that has t parties or less is in A. 

In this paper we consider a Byzantine adversary who can exhibit an active 
behavior. A Byzantine adversary has unlimited resources and computational 
power. Not only can the adversary read the traffic through the parties it controls, 
but it can also decide, whether to deny or to modify the message, whether to 
follow the protocol or not, etc. 

We use the security model given by Franklin and Wright [Z|. Let II be an 
SMT protocol. S starts with a message m s drawn from a message space M. At 
the end of 77, R outputs a message m R . For any execution of the protocol 77, 
let adv be the adversary’s view of the entire protocol, i.e., the behavior of the 
faulty nodes, the initial state of the adversary, and the coin flips of the adversary 
during the execution. We write adv(m, r) to denote the adversary’s view when 
m s = m and when the coin flips of the adversary are r. 

Privacy. 77 is e-private if, for any two messages mi, m 2 £ M and any r, we 
have Yhc I Pr[odu(mi,r) = c] — Pr[adv(ni 2 ,r) = c]\ < 2e. The probabilities 
are taken over the coin flips of the honest parties, and the sum is over all 
possible values of the adversary’s view. 

Reliability. 77 is (5-reliable if, with probability at least 1 — <5, R outputs m R = 
m s at the end of the protocol. The probability is over the choice of rn s and 
the coin flips of all parties. 

Security. 77 is (e, (5) -secure if it is e-private and (5-reliable. 

We say 77 is perfectly secure (PSMT) if it is a (0, 0)-SMT protocol. In this paper, 
we also discuss reliability (without requirement for privacy): (5-RMT, 0-RMT, 
and almost perfect security: (e, (5)-SMT and (0, <5)-SMT. Note that in the rest of 
the paper, e and 5 only appear when studying almost perfect security, thus we 
let e > 0 and 0 < S < 

We employ the authentication code auth(m; a, b) = am + b for information- 
theoretically secure authentication. An authentication key (a, b) £ R F 2 can be 
used to authenticate one message m without revealing any information about 
the key itself. 

3 Characterization of Multicast Graphs 

In this section we characterize multicast graphs based on the adversary struc- 
tures. We give an extended characterization which is essential for obtaining the 
necessary and sufficient conditions in the multicast model. This should give a 
clearer insight to the problems we are dealing with. 

We let P be the set of all paths between S and 77 in a given graph G(V. E). 
The adversary chooses a set of nodes A £ A to control, where A is an adversary 
structure on V \ {S, 77}. For each path p £ P, we define eavesdropping and 
separating as follows. 


542 Q. Yang and Y. Desmedt 


Definition 1. We say that the adversary can eavesdrop onp if it cannot control 
any node on p hut can control some neighbors of pQ Suppose that the adversary 
can eavesdrop on p and there is an element a to be transmitted between S and R 
on p. We say that the adversary can completely eavesdrop on p if, despite what 
protocol is executed, the adversary can learn a by eavesdropping. 

Definition 2. We say that the adversary can separate S and R on p if it can 
control some nodes on p. Suppose that the adversary can separate S and R on 
p and there are k elements (ai, . . . ,ak) € F fc to be transmitted on p. We let 
(af , . . . , af) and (af , . . . , a*?) be the views of S and R respectively on these k 
elements at the end of any protocol. We say that the adversary can completely 
separate S and R if, despite what protocol is executed and how large k is, there 
exists a strategy of the adversary that causes Mi (1 < i < k) : af ^ af. 

Next we show two lemmas regarding the eavesdropping and separating activities 
of the adversary on a single path p £ P. We assume that the path p is placed in 
a left-to-right direction, with S at the left end and R at the right end. 

Lemma 1. The adversary can completely eavesdrop on a path p £ P if and only 
if it can eavesdrop on two adjacent node \ j on p. 

Proof. We first prove the “if” direction. The privacy problem has been studied 
by Franklin and Yung in j^j . They showed that private communication on p is 
possible only if, by removing all the faulty nodes and the hyperedges on which the 
faulty nodes are, path p remains^ Evidently, this necessary condition for privacy 
is satisfied if and only if the adversary cannot eavesdrop on two adjacent nodes 
on p (See Example 1 following this proof). Thus if the adversary can eavesdrop 
on two adjacent nodes on p, then it can completely eavesdrop on p. 

Next we prove the “only if” direction. We give the following protocol, which 
allows S to send an element a s to R with perfect privacy, when the adversary 
cannot eavesdrop on two adjacent nodes on p. First we assume that including S 
and R, there are k + 2 nodes vo, ■ ■ ., Vk+i on p. We let S be node vq, R be node 
Ufe+i, and vi,...,Vk be the other k nodes from left to right. 

Single Path Private Propagation Protocol 

1. For each 1 < i < k + 1, u* initiates an element ai £r F and multicasts it. 
Thus for each 0 < i < k, receives element aj + i from its right side neighbor 
node Vi+i- 

3 Obviously, if the adversary can control some nodes on p, then it can learn everything 
passing through those controlled nodes. However, for the purpose of our observation, 
we do not consider this activity as “eavesdropping”, instead, we characterize it as 
“separating” , which we describe in Definition | 2 | 

4 Two nodes u,v £ V are said to be adjacent to one another if there is an edge 
{u, v} £ E between them. 

5 In the threshold model where any t nodes can be the faulty, such connectivity is 
called the weak thy pe r-connectivity. We discuss this connectivity in more detail in 
Section 0 
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Fig. 1. Eavesdropping activities on a single path p 


2. S sets i := 1 and multicasts bo = a s +ai- While i < k,Vi receives element 6*_i 
from its left side neighbor node i, Vi then multicasts b,, = 6j_i — a* + Oj+i 
and sets i := i+ 1. 

3. When i = k+ 1, R receives element bk from Vk, R then sets a R := bk — ak+i- 

End. 

Obviously, for each 0 < i < k, the element that v- L multicasts is an encrypted 
ciphertext 6* = a s + ri, :+1 . In order to decrypt a s , the adversary needs to learn a 
pair ( bi , a l+ j ) for some 0 < i < k. Since b t is multicast by and a l+ i is multicast 
by Vi + i, the adversary who cannot eavesdrop on two adjacent nodes is not able 
to learn a s by eavesdropping. □ 

Single Path Eavesdropping Examples. 

(a) If the adversary can eavesdrop on two adjacent nodes on path p , then the 
necessary condition of jO] is not satisfied. For example, in Kig|TJ'a). the faulty 
node is node 4 and the hyperedges are 

C S , {!}). (!. i s > 2- 4 »> (2, {1, 3, 4}), (3, {2, R}), (4, {1, 2}) and (R, {3}). 

By removing the hyperedges that node 4 is on, the remaining hyperedges 
are 

(£> {!}), (3, {2, -R}) and (R, {3}). 

Thus p does not remain because edge {1, 2} is removed, and hence the con- 
dition of 0 is not satisfied. 

(b) If the adversary cannot eavesdrop on two adjacent nodes on path p, then the 
necessary condition of 0 is satisfied. For example, in FigQJb), the faulty 
node is node 4 and the hyperedges are 

(5, {1}), (1, {S, 2, 4}), (2, {1, 3}), (3, {2, 4, R}), (4, {1, 3}) and (R, {3}). 

By removing the hyperedges that node 4 is on, the remaining hyperedges 
are 

(S, {1}), (2, {1,3}) and (R, {3}). 

Thus p remains because all edges on p remain, and hence the condition of 0 
is satisfied. 

The different separating activities were observed by Franklin and Wright in 0 , 
but here we extend their result and upgrade their protocol. 
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Lemma 2. (following |JJ) The adversary can completely separate S and R on a 
path p £ P if and only if it can control two or more nodes on p. 

Proof. We refer the proof of the “if” direction to jSj • 

Next we prove the “only if” direction. We assume that including S and R, 
there are k + 2 nodes no, , nfe + i on p. We let S be node no, R be node Ufc+i, 
and ui,...,u fc be the other k nodes from left to right. We show that with the 
following protocol, the adversary cannot completely separate S and R when k 
elements (ai, . . . , a*,) are transmitted on p if the adversary can control no more 
than one node on p. 


Single Path Distribution Protocol 

1. For each 1 < i < k, Vi initiates an element a* Gr F and multicasts it. 

2. For each 1 < i < k, the nodes on the left side of Vi execute an instance 
of the Single Path Private Propagation Protocol from Uj_i to S in which 
Vi-i sends a*, and the nodes on the right side of v t execute an instance of 
the Single Path Private Propagation Protocol from Vi + \ to R in which Vi + i 
sends a,. 

3. At the end of the protocol, for each 1 < i < k, S receives an element af and 

R receives an element af. If S (or R) receives nothing regarding element ai 
for some 1 < i < k, then S (or R) sets af = 1 (or af = 1). End. 

Let v e (1 < e < k) be the only faulty node on p. It is straightforward that at 
the end of the protocol, af = af, even if v e does not initiate and multicast any 
element (in this case af = af = 1). □ 

Next, we give the following two lemmas, which are trivial so we omit the proofs. 

Lemma 3. If the adversary can only control one node v on a path p £ P, then 
despite what protocol is executed on p, there exists a strategy of the adversary 
that causes the views of S and R to be different except for their views on the 
elements multicast by v. 

Lemma 4. Given a node v on a path p £ P, if the adversary cannot separate S 
and R on p, completely eavesdrop on p, or control a neighbor of v, then during 
the execution of the Single Path Distribution Protocol on p, the adversary cannot 
learn the elements multicast by v. 

Having these lemmas, we now present an extended characterization Ca of a mul- 
ticast graph G(V, E) given an adversary structure A on V \ {S, R}. 

Definition 3. Given a graph G(V,E), let A = {Ai , . . . , A z } be an adversary 
structure on V \ {S', R} and P be the set of all paths between S and R. An 
Extended Characterization of G given A is Ca = {Cy , ■ ■ ■ , CJ where for each 
1 <i<z, we have Ca, = {Pf +) , Pf 1] , Pf*\ Pf) where 

— P^ is the set of all paths on each of which there are at least two nodes 
in Ai, 
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— P^ is the set of all paths on each of which there is exactly one node in Ai, 

— pj*^ is the set of all paths on each of which there is no node in A it but on 
each path in P}*\ there are two adjacent nodes that both have neighbors in 
Ai, and 

— Pi = P U P ^ is the set of all paths on each of which there is at least one 

node in Aj. 

With the extended characterization (A, we know that during the execution of 
any protocol, by choosing a set Ai G A to control, the adversary can separate S 
and R on Pi, completely separate S and R on P- + ' 1 and completely eavesdrop 
on P^ . 

Given any set Ai G A, we are particularly interested in the nodes of Aj on the 
paths of Pj . For each path p G pj l \ we use A t n p to denote the single node 
v G Ai that is on path p\ i.e., v = Aj n p. Note that this notation is only used 
for the paths in pj 1 ^. 

Definition 4. Given a graph G(V, E) and an adversary structure A on V \ 
{S', R } , we say that S and R are highly A-connected if for any set Aj G A, we 
have Pi U p/* } ^ P. 

Definition 5. Given a graph G(V, E) and an adversary structure A on V \ 
{S,R}, we say that S and R are lowly 2A-separated if there exist two (not 
necessarily distinct) sets Ai, A 2 G A such that 

(a) Pj U P -2 = P, and 

(b) P^ = 0, or for each path p G Pp\ we have that p G P 2 U P^ or 4i rip 
has a neighbor in A 2 , and 

(c) P^ = 0, or for each path p G P^, we. have that p G Pi U pj*^ or A 2 n p 
has a neighbor in A\ . 

We say that S and R are lowly 2 ^.-connected if they are not lowly 2A-separated. 


Lemma 5. Given a graph G(V, E) and an adversary structure A on V\ {S, R}, 
if S and R are lowly 2A-connected, then for any set Ai G A, we have Pi ^ P. 

Proof. Assume there exits a set A, G A such that Pi = P, if we let both the sets 
A±, A 2 of Definition 0 be Aj, then it is straightforward that S and R are lowly 
2A-separated. Thus we have a contradiction. □ 


4 Reliable Communication 

In this section, we discuss reliable communication with no requirement for pri- 
vacy. We study almost perfect reliability (5-RMT) in Section 14.11 and perfect 
reliability (0-RMT) in Section I I. 21 
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4.1 Almost Perfect Reliability 

We give the necessary and sufficient condition for <5-RMT in multicast graphs. 

Theorem 1. Given a graph G(V,E) and an adversary structure A on V \ 
{S,R}. The necessary and sufficient condition for S-RMT from S to R is that 

5 and R are lowly 2A-connected. 

Next, we use Lemma 0 and Lemma |H1 to show the necessity and sufficiency of 
the condition respectively. Before we present these two lemmas, we first give the 
following Lemma 0 which is a key ingredient for proving the necessity. 

Lemma 6. If there exists two sets A\ . A 2 G A such that P} + ^ U P 2 +> = P, and 

6 < |(1 — then S-RMT from S to R is impossible. 

Proof. This lemma can be easily proven using a similar technique as that in (HI 
Theorem 5.1] and 0 Theorem 3]. See the full version of this paper 0. □ 

Lemma 7. The condition of Theorem Q is necessary. 

Proof. It is straightforward that in order to achieve ^-reliability, it is necessary 
to have Pj ^ P for any G A ; i.e., P \ Pj ^ 0. 

Next we prove the necessity of the condition by contradiction. We assume 
that S and R are lowly 2A-separated (i.e., there exist two sets A 1 ,A 2 G A as 
they are in Definition 0) and there exists a <5-RMT protocol 77 that transmits a 
message m G M from S to R. Without loss of generality, we let Pi flP 2 = 0. Now 
if P : (1) = 0 and P 2 (1) = 0, then we have Pf +) = P 1 and P 2 (+) = P 2 , and hence 
P^ +> U P 2 + ) = P (following Definition 0a)), thus due to Lemma 0 <5-RMT is 
impossible in the case. In the rest of our proof we let Pf '- 1 ^ 0 and/or P} 1 ' / 0. 

We make an observation on how protocol 77 can achieve ^-reliability. Given 
a node v on a path p G P, we use (v ~ p) to denote the tuple of the elements 
that are multicast by v and received (in any way) by both S and R on p, and 
let (v ~ p) s and (v ~ p) R be the views of S and R respectively on (v ~ p). 

The strategy of the adversary is to choose an e €r {1,2} and control the 
set A e . Let d G {1,2} such that d e, then R should be able to recover the 
actual message from the elements received on P r j. If, despite whether e = 1 or 
e = 2, (v ~ p) s 7 ^ (v ~ p) R for any v on any p G P e (i.e., the views of S and R 
are completely different on P e ), then following Lemma 0 (5-RMT is impossible. 
Therefore, there must exist an e G {1,2} such that (v ~ p) s = (v ~ p) R 
is guaranteed for some v on some p G P e . We say that the tuple of elements 
( v ~ p) where p G P e such that (v ^ p) s = (v ~ p) R supports the actual 
message. Following Lemma 0 the adversary can completely separate S and R 
on pj + ^ and cause V(p G Pe + \v on p) : ( v ~ p) s ^ (v ~ p) R . Following 
Lemma 0 for any path p G pf 1 " 1 (if P^ ± 0), (v ~ p) s = (v ~ p) R can only 
be guaranteed if v = A e rip. Therefore, there must exist an e G {1, 2} such that 
the actual message received on P,i is supported by some ((A e rip) ~ p) where 
p G Pe V> ■ Next, following Definition 0b, c), for each path p G P^ (if P^ ^ 0), 
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we have case 1: p £ P e U Pe*\ or case 2: AdHp has a neighbor in A e . In case 1: 
p £ P e U Pe*' 1 , due to Lemma 0 there is no private transmission on path p 
whatsoever, so the adversary can learn ((Ad rip) ~ p). In case 2: A,i n p has a 
neighbor in A e , it is trivial that the adversary can learn ((A,i rip) ~ p). 

To sum up, we can conclude that when the adversary chooses A e to control, 
then the actual message, which can be recovered from the elements received on 
Pd, should be supported by some ((A e rip) ~ p) where p £ Pp (if pP i=- 0 ), 
and the adversary can learn ((Ad lip) ~ p) for each p £ P^ l> (if ^ 0). 

Now during the execution of the protocol II, the adversary corrupts P e and 
causes (v ~ p) s ^ (v ~ p) R for all nodes v on all paths p £ P e except for p £ pP 
and v = A e r\p. This is possible due to Lemma 0 and Lemma 01 As we concluded 
above, the adversary can always learn ((Ad rip) ~ p) for each p £ P^\ Thus on 
P e , the adversary simulates the protocol as S sent a message m' £ M, and ml 
can be supported by ((Ad lip) ~ p), where p £ PP ■ 

Therefore, at the end of the protocol IT, despite whether e = 1 or e = 2, the 
view of R always consists of the following: 

- on Pi, a message is recovered which can be supported by ((A 2 rip) ~ p) for 
any p £ pp (if pP ^ 0), but may not be supported by any other elements 
received on P 2 : 

— on P^, a different message is recovered which can be supported by ((Ai rip) ~ 
p) for any p £ pP (if pP ^ 0), but may not be supported by any other 
elements received on I\ . 

Thus as we showed in Lemma 0 with probability 6 > |(1 — -pj- ), R recovers the 
wrong message m! . We have a contradiction, which proves the necessity of the 
low 2A-connectivity. □ 

Let P = {pi, . . . ,p n }, we first generalize some of Franklin and Wright’s protocols 
in multicast graphs. 


Full Distribution Protocol 

1 . For each 1 < j < n, the nodes on path pj execute an instance of the Single 
Path Distribution Protocol for each node Vi on pj to distribute an element 
dij. The nodes not on pj do not multicast anything. 

2. At the end of the protocol, on each path pj (1 < j < n), S and R receive 

af j and afj respectively as the element initiated by node Vi on pj . End. 

Private Propagation Protocol 

1. For each 1 < j < n, the nodes on path p 7 execute an instance of the Single 
Path Private Propagation Protocol from S to R in which S sends an element 
CLj, and the nodes not on p, do not multicast anything. 

2. At the end of the protocol, on each path pj (1 < j < n), R receives af as 

the element that S initiated and propagated on pj. End. 

Now we present the following protocol, which achieves <5-RMT for a message 
m £ M in a graph G(V, E ). 
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Reliable Transmission Protocol 

1. The nodes of V execute an instance of the Full Distribution Protocol in 
which for each 1 < j < n, the elements that node v-i on path p 3 initiates 
are ( aij,bij ) Gr F 2 . Let ( afj,bfj ) and (afj,bfj) be what S and R receive 
respectively regarding (a,;.,- , bi 3 ). 

2. The nodes of V execute an instance of the Private Propagation Protocol 
from S to R in which S sends the same vector on all paths in P: 

(m, (auth(m; afj, bfj)}), 

where (auth(m; afj,bfj)) is an ordered set of the authenticated m with all 
keys (afj,bfj) that S receives in Step 1. At the end of the instance, R receives 
a vector (m*,, on each path pk G P. 

3. Given the vector (m*, {%Hj,k}) that R receives on pk, if 3 (i,j) : Ui, 3 ,k = 
auth(mfc; afpbfj), then we say that m*, is qualified on (vi ~ pj ) . R finds an 
Af G A that satisfies the following three o-conditions: 

a-1 all vectors received on P\Pf are the same, say vector (mi, (Utjj))', 
a-2 = 0, or for each pj G Pj l \ m; is qualified on ((Af n pj) ~ pj)\ 

a- 3 Pf U Pf*' 1 = P, or for any vector (m*, (uj,j,fc)) received on path pk G Pf 
such that mfc ^ mi, we have that m/ c is not qualified on any (vi ~ pj) 
where pj G P \ (Pf U Pf*' 1 ) and V{ does not have a neighbor in Af. 

R then outputs the message rrq . End. 

Lemma 8. The Reliable Transmission Protocol is a S-RMT protocol under the 
condition of Theorem Q 

Proof. It is straightforward that if the adversary cannot learn some (a-ij, bij) 
(initiated by Vi and multicast on pj) but a corrupted mk is qualified on (v,: ~ pj), 
then the Reliable Transmission Protocol fails. We use RT to denote the event 
when the above failure occurs and RT to denote the event otherwise. Let n be 
the total number of paths between S and R and y be the maximum number of 
nodes on any path, following the proof of |B1 Theorem 3.4], the probability that 
the protocol fails is Pr [PT] < This probability is negligible in the security 
parameter (given F is sufficiently large). Next in our proof, we assume that the 
above failure does not happen. That is, we analyze the protocol in the event RT. 

In the following, we first show that R can always find an Af G A that satisfies 
the three a-conditions, then we prove, by contradiction, that in the event RT, 
the message output by R is correct. 

Now we show that there always exists an Af that satisfies all three o-conditions, 
at least when the adversary chooses Af to control so that Pf is corrupted. Since 
Pf ^ P (following Lemma 0, we immediately have that condition a-1 is satis- 
fied and mi received on P \ Pf is the actual message. If P^ / 0, then as shown 
in the proof of Lemma |2l on each pj G Pj 1 ^, S and R always have the same 
view on the key initiated by Af n pj. Thus it is clear that rrq is qualified on 
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(( Af n pj) ~ pj), and hence condition a - 2 is satisfied. If Pf U pj* ^ P, then 
the adversary cannot learn the key initiated by any node Vi which is on a path 
Pj (= P \ (Pf U P^) if Vi does not have a neighbor in Af. Thus without the 
above mentioned failure RT, any faulty message rrik i=- mi cannot be qualified 
on such ( Vi ~ pj), and hence condition a- 3 is satisfied. 

Next, using contradiction, we show that in the event RT, the message mi 
that S outputs is the actual message. For contradiction, we assume that m; is 
modified by the adversary who chooses a set A e G A to control, and all three 
a-conditions are satisfied. We now show that the three oconditions imply the 
three properties of A\ , A 2 in Definition 0 

— From condition a-1, since all vectors received on P \ Pf are modified, we 
have P e U Pf = P (i.e., corresponding to Definition EJ a)). 

— Condition a - 2 indicates that either pj 1 ) = 0, or the adversary can learn the 
key initiated by node Af n pj on any path pj G Pj l) to make the faulty 
message mi qualified on ((A f n pj) ~ pj). Due to Lemma, 0J this means that 
the adversary can separate S and R on pj, completely eavesdrop on pj or 
control a neighbor of Af n pj . Thus from condition a-2 we can conclude that 
pj 1 ) = 0, or for each path pj G Pj*\ we have that pj G P e U Pg*^ or Af n pj 
has a neighbor in A e (i.e., corresponding to Definition 0Tj). 

— Finally, since P e ^ P and P e U Pf = P, there exists at least one path 
Pk € Pf such that the message m*, received on pk is the actual message. Due 
to condition cc-3, there are two cases: 

case 1 P f U Pj* } = P, thus we have P e (1) C P f U Pj* ] = P ; 
case 2 The actual message nik is not qualified on any (vi ~ pj) where Pj G 
P \ (Pf U Pj*)) and Vi does not have a neighbor in Af. This implies 
that either pj G Pj + \ or Pj G Pe l> but any v t on pj that does not 
have a neighbor in Af is not A e n pj (because otherwise the actual 
message mk should be qualified on (vi ~ Pj ) , due to the proof of 
Lemma I2J). That is, if such pj G pj 1 ^ exists, then all the nodes on pj 
that do not have a neighbor in Af are not A e n p 3 . This implies that 
A e n pj has a neighbor in Af. 

It is easy to conclude that in either case, P^ = 0, or for each path pj G Pj X \ 
we have pj € Pf U Pj*) or A e n pj has a neighbor in Af (i.e., corresponding 
to Definition |3b)). 

To sum up, A e ,Af are as A\ , A 2 in Definitional This means S and R are lowly 
2*4-separa,ted, which contradicts the condition of Theorem Q] 

Therefore, at the end of the Reliable Transmission Protocol, R can recover 
mi = m with an arbitrarily small probability of failure (i.e., Pr[i?,T] < ^fp). 
Thus the Reliable Transmission Protocol is a 5-RMT protocol. □ 
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4.2 Perfect Reliability 

Here we study 0-RMT in multicast graphs. Similar to the result in [Z|, we show 
that the necessary and sufficient condition for 0-RMT in the multicast setting 
is the same as that in the point-to-point setting. The following theorem can be 
easily proven following some previous results in |KI5| . 

Theorem 2. Given a graph G(V,E) and an adversary structure A on V \ 
{S,R}. The necessary and sufficient condition for 0-RMT from S to R is that 
Pi U Pj ^ P for any two sets A t , Aj G A. 

Proof. See the full version of this paper [T} . □ 

5 Secure Communication 

In this section we take the problem of achieving privacy into consideration. We 
study almost perfect security in Section 15.11 i.e., we discuss both (e, <5)-SMT and 
(0,£)-SMT. In Sectional we study (0,0)-SMT that enables perfect security. 

5.1 Almost Perfect Security 

First we give the necessary and sufficient condition for (e, £)-SMT in multicast 
graphs. Unlike the setting in 0 in which the conditions for both <J-RMT and 
(e, £)-SMT are the same (i.e., n > i), in multicast graphs, (e, <5)-SMT requires 
stronger connectivity than that for i5-RMT. 

Theorem 3. Given a graph G(V,E) and an adversary structure A on V \ 
{S,R}. The necessary and sufficient condition for (e,6)-SMT from S to R is 
that S and R are highly A-connected and lowly 2A-connected. 

Proof. We first prove the necessity of the condition. It is straightforward that 
the high A-connectivity, i.e., Pi U p/*^ P, is necessary for achieving e-privacy, 
because otherwise there is no private transmission between S and R on any path 
in P. Moreover, as proven in Lemma 0 the low 2A-connectivity is necessary for 
achieving ^-reliability. Thus the condition is necessary for (e, <J)-SMT. 

Next we show that the condition is sufficient. Let P = {p \, . . . ,p n }, we give 
the following protocol (similar to |8i1 5] ) for S to send a message rri G M to R. 

Private Transmission Protocol 

1. The nodes of V execute an instance of the Private Propagation Protocol 
from S' to R. in which for each 1 < j < n, S sends a pair (aj, bf) F on 
path pj G P. At the end of the instance, R receives a pair ( af , bf) on each 
path pj G P. 

2. R chooses an element r R Gr F and for each 1 < j < n, computes sf = 
auth(r R ; af, bf). The nodes of V executes an instance of the Reliable Trans- 
mission Protocol from R to S in which R sends a vector ( r R , s R , . . . , sf ). At 
the end of the instance, S outputs a vector (r s , sf , . . . , sf). 
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3. S computes an index set I = {j | sf = auth(r s ; af, bf)} and an encryption 
key key = Yljei a j’ an< ^ encr ypts the message c = m+key. The nodes of V 
executes an instance of the Reliable Transmission Protocol from S' to J? in 
which S sends a vector (7, c). At the end of the instance, R outputs a vector 

(/V). 

4. R computes a decryption key key' = Yljei' a f an< ^ decrypts the message 

m! = d — key'. End. 

First we show that this protocol achieves e-privacy. Suppose that the adversary 
chooses a set A e to control. Since P e U P?* 1 / P, there exists a path p,i £ 
P \ ( P e U Pi *■*). As shown in the proof of Lemma QJ the adversary cannot learn 
(af , £>f ) in Step 1. Because Pd £ P e , we have (af , b R ) = (af , fcf ). Let RT denote 
the event that the instance of the Reliable Transmission Protocol in Step 2 
succeeds and RT denote the event otherwise. In the event RT, r s = r R and for 
each 1 < j < n, we have sf = sf. This implies that d £ I. The adversary who 
cannot learn af by eavesdropping or by decoding s R will not be able to compute 
key to decrypt to. That is, for any two messages mi, m 2 £ M and any coin flips 
r, using the adversary’s view adv, we have the following: 


Y^, c | Pv[adv(mi,r) = e|PT] — Pr[adv(m 2 ,r) = e|i2T]| = 0 (1) 

J2 C | Pr[adv(mi,r) = c\RT\ — Pi[adv(m 2 ,r) = c|PT]| < | + 1| + | - 1| = 2 (2) 

Let Pr[PT] = e, which is arbitrarily small as we discussed in the proof of 
Lemma |H1 by combining Eq. Q and Eq. El we have the following: 

I Pr[adu(TOi,r) = c] — Pr[adv(m 2 ,r) = c]| < 0 ■ Pr[PT] + 2 • Pr[7?T] = 2e. 


Thus the Private Transmission Protocol achieves e-privacy. 

Next we show that the protocol achieves ^-reliability. Let 61 be the proba- 
bility that the instance of the Reliable Transmission Protocol in Step 2 fails 
and 62 be the probability that the instance in Step 3 fails. As we showed in 
the proof of Lemma 03 and 62 are negligible in the security parameter. Let 
^3 be the probability that both the above mentioned instances succeed, but R 
outputs m! ^ to. This can only happen if there exists at least one j £ I such 
that af 7 ^ af. Since both reliable protocols succeed, the fact j £ I implies 
auth(r ii ; af, &f ) = auth(r il ; af, bf). That is, 


where af ^ af. Since r R is chosen with respect to the uniform distribution, 
if the adversary modifies (af,6f) to (af,bf) on path pj in Step 1, then the 
probability that Eq. 0 is fulfilled is j^. Since the adversary can corrupt \P e \ 
paths, it is straightforward that £3 = < pf, which is much smaller than 

and 62 - Thus the final probability that the protocol fails to be reliable is 


S = £1 + (1 — 5l)<52 + (1 — (£1 + (1 — 5i)<^2))^3 < Si + 62 + S 3 . 
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To sum up, the Private Transmission Protocol is an (e, d)-SMT protocol. □ 

Note that the condition of Theorem 0 can be seen as it consists of two parts, 
with the high ^-connectivity enables private communication and the low 2,4- 
connectivity enables ^-reliable communication. These two types of connectivity 
are independent. Indeed, with some examples in Section El we can show that 
they do not imply each other. 

In [HU, Yang and Desmedt proved that reducing the requirement for privacy 
does not weaken the minimal connectivity. In the following theorem, we show 
that the condition for (e, 5)-SMT is also necessary and sufficient for (0, £)-SMT. 

Theorem 4. Given a graph G(V,E) and an adversary structure A on V \ 
{ S,R }. The necessary and sufficient condition for (0 ,6)-SMT from S to R is 
that S and R are highly A-connected and lowly 2A-connected. 

Proof. It is straightforward that the condition is necessary. Next we show that 
the condition is sufficient by slightly amending the Private Transmission Protocol 
to the following protocol which achieves perfect privacy. 

Perfectly Private Transmission Protocol 

1 . Same as Step 1 in the Private Transmission Protocol. 

2. R chooses an element r R Gr F and for each 1 < j < n, computes s R = 
auth(r fl ; a R , b R ). The nodes of V executes an instance of the Reliable Trans- 
mission Protocol from R to S in which R sends a vector (r R . s R , . . . , s R ). At 
the end of the instance, S distinguishes the following two cases: 

Case 1 If there exist two sets A^,Af 2 g A that satisfy all three a-conditions 
of the Reliable Transmission Protocol, and the two vectors (both 
regarding the vector ( r R , sf , . . . , s R )) that S receives respectively 
on P \ Pf 1 and P \ Pf 2 are different, then S terminates the protocol. 
Case 2 Otherwise, S outputs a vector ( r s , sf , . . . , s®) and goes to Step 3. 

3. Same as Step 3 in the Private Transmission Protocol. 

4. Same as Step 4 in the Private Transmission Protocol. End. 

Now we show that this protocol achieves 0-privacy. Following the proof of 
Theorem 01 the privacy of the message transmission can only be breached in 
the event RT. It is clear that the instance of the Reliable Transmission Protocol 
in Step 2 allows S to distinguish the events RT and RT. As we showed in 
the proof of Lemma El in the event RT, only the correct vector can be output 
after the Reliable Transmission Protocol. This means if two different vectors can 
be output, then the event RT occurs. Thus in Step 2, Case 1 indicates RT and 
Case 2 indicates RT. In the event RT, S terminates the protocol so the adversary 
learns nothing about the message. Thus the protocol achieves 0-privacyO Next, 
using a similar proof as that for Theorem 0 we can prove that the Perfectly 
Private Transmission Protocol is also ^-reliable, which concludes the proof. □ 

6 A more formal proof is available in the full version of this paper |l . 
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5.2 Perfect Security 

In jSj, Dolev et al. showed that if cr is the maximum number of channels that 
a listening (passive) adversary can control and p is the maximum number of 
channels that a disrupting (active) adversary can control, then there must be 
at least max{cr + p + l,2p + 1} channels between S and R for PSMT (i.e., 
(0,0)-SMT). This setting can be generalized in our model as follows: given an 
adversary structure A = { A-[ , . . . , A z }, then {PiUP}*\ . . . , P z UPj*^} consists of 
the subsets of paths a listening adversary can control and {Pi, . . . , P z } consists 
of the subsets of paths a disrupting adversary can control. Thus we give the 
following theorem for (0,0)-SMT in multicast graphs. 

Theorem 5. Given a graph G(V. E) and an adversary structure A on V \ 
{S,R}. The necessary and sufficient condition for (0,0)-SMT from S to R is 
that 

(Pi U P^) UPj/P for any A it Aj G A. 

Proof. See the full version of this paper [Tj . □ 

6 Corresponding Threshold Model 

In this section we use our results in the general adversary model to find the 
necessary and sufficient conditions for RMT and SMT in the threshold model. 
Because a threshold is a special case of an adversary structure, we re-define the 
threshold model in the adversary structure context. 

Definition 6. Given a graph G(V,E), a threshold t is an adversary structure 
A t C such that V(A C V \ {S, R}, \A\ < t) : A G A T . Furthermore, 

— we say that S and R are t^- pr i va t e - connected if they are highly A? -connected; 

— we say that S and R are t^. re u a u e - connected if they are lowly 2A T -connected. 

It is easy to show that our results correspond to Franklin and Wright’s [Z| if the 
multicast graph only consists of n node-disjoint and neighbor- disjoint paths. For 
more details see the full version of this paper p . 

Next we discuss the connectivity in the general multicast graph setting with 
some previous results. In jjj, Desmedt and Wang looked at four different types 
of connectivity. With slight changes, we show them in our model as follows. 

— t- connectivity. For any A G A T , after removing all nodes in A from G, there 
remains a path between S and R. 

— weak thyper- connectivity. For any A G A T , after removing from the hyper- 
graph Hg(V, Eh) all nodes in A and all hyperedges on each of which there 
is at least one node in A, there remains a path between S and R (see jOJ ) • 

— t ne ighbor- connectivity. For any A G A T , after removing all nodes in A and 
all their neighbors from G, there remains a path between S and R. 

— weak (n,t)- connectivity. There are n node-disjoint paths pi, . . . ,p n between 
S and R, and for any A G A T , after removing all nodes in A and all their 
neighbors from G, there remains a path pi (1 < i < n) between S and R. 
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Fig. 2. Private and reliable connectivity 

As we showed in the proof of Lemma QJ Franklin and Yung’s weak th ype r- 
connectivity j0| in a hypergraph Hg is essentially our f ^-private-connectivity in 
a multicast graph G. Thus we use the fg-private-connectivity to replace the weak 
thyper - connectivity in the rest of the paper for a simpler presentation. Desmedt 
and Wang j2] showed that the following implications are strict: 

weak (n, t) -connectivity => f ne , s ti6or-connectivity => t^. pr . iwote -connectivity 
=> t-connectivity. 

In [2|, Wang and Desmedt claimed that the weak (n, t) -connectivity is suffi- 
cient for (0,<f)-SMT. Since weak (n, t) -connectivity =>■ ^-private-connectivity, it 
is clear that 0-privacy can be achieved. However, ^-reliability is only achiev- 
able under their condition if weak (n, ^-connectivity => f£- re iia6ie-connectivity. 
In [HI , there is not a proper proof showing this implication. Thus their claim is 
only a conjecture. We leave this as an open problem. 

Later study by Desmedt and Wang pfl showed that the conjectured upper bound, 
i.e., the weak (n, ^-connectivity, is not necessary for (0, d)-SMT, by showing an 
example, as Fig.E^a), in which S and R are not weakly (2, l)-connected but (0 , §)- 
SMT is possible. We observe that their protocol (appeared in |T£]) is actually 
an (e, d)-SMT protocol but the claim is correct, because S and R are obviously 
Ic-private-connected and lf-retiafc/e-connected in Fig. Eta). They also showed that 
the weak t^per-connectivity (i.e., the f ^-private-connectivity) is the lower bound 
for (0, <5)-SMT but not necessary for d-RMT, as in Fig.Efb) where S and R are not 
lf-private-connected but d-RMT is possible. This claim is obvious under our con- 
dition because S and R are clearly lf- re ;j 0 {,; e -connected. Finally they conjectured 
that the weak th ype r - connectivity (i.e., the ^-private-connectivity) is not sufficient 
for (0, <5)-SMT, by asking whether (0, 5)-SMT is possible in Fig. ETc) such that S 
and R are l^-private-connected. Our condition proves their conjecture. Indeed, not 
only is (0, <J)-SMT impossible in Fig.Efc), but i5-RMT is also impossible, because 
S and R are not l^-reiiab/e-connected. Therefore, our result explains all the exam- 
ples and proves all the conjectures in the previous work. 

Note that the examples of Fig.EKb) and Fig.EKc) also show that the t^- pr i va te- 
connectivity (or, the high A-connectivity) and the t^-reiiaMe- connectivity (or, 
the low 2A-cormectivity) do not imply each other, because in Fig. Efb), S and R 
are lf-reKaMe-connected but not lf-prjvate-connected, and in Fig. ETcj, they are 
If-private-connected but not lf- re Ka6;e-connected. 

At the end, we present the following corollary as the final result of this paper. 

Corollary 1. Given a graph G(V,E ) and an adversary who can control up to t 
nodes inV\{S,R}. 
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— 6-RMT is possible if and only if S and R are t^- re u a ue-conneeted in G. 

— 0-RMT is possible if and only if S and R are 2t-connected in G. 

— ( e,5)-SMT or (0 ,S)-SMT is possible if and only if S and R are t£- priva te- 
connected and t(- re u a bi e -connected in G. 

— (0,0)-SMT is possible if and only if S and R are (^-private + t)-connected 
in G. The {t^- pr i vate + <)- connectivity means that for any A it Aj € A T , we 
have {Pi U Pj* ) ) U Pj ^ P. 
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Abstract. We consider the problem of private function evaluation (PFE) 
in the two-party setting. Here, informally, one party holds an input x 
while the other holds a (circuit describing a) function /; the goal is for 
one (or both) of the parties to learn f(x) while revealing nothing more 
to either party. In contrast to the usual setting of secure computation, 
where the function being computed is known to both parties, PFE is 
useful in settings where the function (i.e., algorithm) itself must remain 
secret, e.g., because it is proprietary or classified. 

It is known that PFE can be reduced to standard secure computa- 
tion by having the parties evaluate a universal circuit , and this is the 
approach taken in most prior work. Using a universal circuit, however, 
introduces additional overhead and results in a more complex imple- 
mentation. We show here a completely new technique for PFE that 
avoids universal circuits, and results in constant-round protocols with 
communication/computational complexity linear in the size of the cir- 
cuit computing /. This gives the first constant-round protocol for PFE 
with linear complexity (without using fully homomorphic encryption), 
even restricted to semi-honest adversaries. 


1 Introduction 

In the setting of two-party private function evaluation (PFE), a party Pi holds 
an input x while another party P 2 holds a (circuit Cf describing a) function /; 
the goal is for one (or both) of the parties to learn the result /( x) while not 
revealing to either party any information beyond this. (The parties do agree in 
advance on the size of the circuit being computed, as well as the input/output 
length. See Section 12. II for further discussion.) PFE is useful when the function 
being computed must remain private, say because the function is classified, be- 
cause revealing the function would lead to security vulnerabilities, or because the 
implementation of the function (e.g. , th e circuit Cf itself) is proprietary even if 
the function / is known jH, @,8,9, EUDl 1§, 0, El EH 0] ■ 
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PFE stands in contrast to the standard setting of secure two-party compu- 
tation EHH , where the parties hold inputs x and y, respectively, and wish to 
compute the result f(x, y) for some mutually known function / using an agreed- 
upon circuit Cf for computing /. On the other hand, it is well known that the 
problem of PFE can be reduced to the problem of secure computation using 
universal circuits. In more detail, let U n be some (fixed) universal circuit such 
that U n (x, C) = C(x) for every circuit C having at most n gates. (We implicitly 
assume here some fixed representation for circuits.) Then if C n is the class of cir- 
cuits having at most n gates, PFE for this class is solved by having the parties 
run a (standard) secure computation of U n . 

There are, however, drawbacks to using universal circuits to implement PFE. 
First is the resulting complexity: although PFE using universal circuits has 
been implemented p3|, it is fair to say that it is more challenging, tedious, 
and error-prone to write code involving universal circuits than it is to imple- 
ment secure computation “directly” using Yao’s garbled circuit approach (as 
done, e. g., i n (271 l2fj 132 . fit) . fl7l j ) . Using universal circuits also impacts efficiency. 
Valiant j2o] showed a construction of a universal circuit achieving (optimal) 
\U n \ = 0(n log n); the construction is complex, however, and the constant terms 
(as well as the low-order terms) are significant. Kolesnikov and Schneider 00 
gave a simpler construction of universal circuits: they obtain the worse asymp- 
totic bound \U n \ = 0{n log 1 2 n), but their techniques are claimed to yield smaller 
universal circuits than Valiant’s construction for “reasonable” values of n. (The 
exact improvement depends also on the number of inputs and outputs. We refer 
the reader to their work for a detailed comparison.) Even so, as secure two-party 
computation is used for ever-larger circuits (secure computation of circuits with 
up to 1 billion gates has been reported 0), the overhead introduced by universal 
circuits becomes prohibitive. Indeed, the implementation of PFE by Kolesnikov 
and Schneider (ti ly~i| can handle circuits of only a few thousand gates 0 

Another approach to PFE is given by Abadi and Feigenbaum [jj], who show 
a PFE protocol with complexity O(n) but using O(d) rounds, where d is (an 
upper bound on) the depth of the circuit being computed. 


1.1 Contributions of Our Work 

We show the first constant-round, PFE protocols with linear complexity, with- 
out relying on fully homomorphic public-key encryption^ We begin by showing 
a protocol in the semi-honest setting; this illustrates our core techniques and 
represents what we consider to be our main contribution. (Semi-honest security 
was the focus of all prior work on PFE 0 SI, 0, IhUlI IhI 0, 0. 0j, 0] .) Zero- 
knowledge proofs can be used in the standard way jl0| to obtain security against 
malicious parties, still in constant rounds and with linear complexity; however, 
the resulting protocol is unlikely in practice to out-perform secure computation 

1 It is easy to construct constant-round, linear-complexity PFE from fully homomor- 

phic encryption. But it is of theoretical interest to reduce the assumptions used, and 
of practical importance to avoid the overhead of fully homomorphic encryption. 
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of universal circuits using efficient protocols for the malicious setting (e.g., 0 )- 
We sketch a more efficient construction for achieving security against a mali- 
cious P\. 

Our protocols rely on (singly) homomorphic public-key encryption as well as a 
symmetric-key encryption scheme secure against linear related-key attacks; see 
Definition E| T he former can be instantiated using various standard cryptosys- 
tems (e.g., HUlMI); the latter can be instantiated in the random oracle model, 
or in a provable sense 0] based on the decisional Diffie-Hellman assumption. 

In addition to the theoretical improvement, our approach should yield better 
performance in practice for PFE of large circuits and/or in certain settings. Specif- 
ically, although our protocol uses 0(ri) public-key operations — in contrast to 
universal-circuit-based approaches that use O(n logn) or 0(n log 2 n) symmetric- 
key operation^ — our protocol has linear communication complexity, making it 
advantageous when network communication is expensive. Moreover, there are sev- 
eral ways our protocol can be improved (e.g., using elliptic-curve cryptography 
along with fast algorithms for performing multiple fixed-base exponentiations) to 
reduce its computational cost. 


1.2 Overview of Our Techniques 

Our main technical contribution, as noted above, is our idea for achieving PFE 
with linear complexity in the semi-honest setting; we describe this here. Our 
description is fairly detailed and we will refer to it in the formal description 
of our protocol later; it should also be possible to skim this section so as to 
obtain the main ideas. Our approach adapts Yao’s garbled-circuit technique. 
At a very high level, our idea is to have P\ generate a sequence of gates; P 2 
then connects these gates together, using (singly) homomorphic encryption, in 
a manner that is oblivious to Pi, while still enabling Pi to prepare a garbled 
circuit corresponding to the circuit C/ held by P 2 . This idea of having one party 
connect gates of the circuit together is vaguely reminiscent of the “soldering” 
approach taken in 0; our setting, however, is different than theirs (in [23] 
it was required that both parties know the circuit being computed), as is our 
implementation of the “soldering” step. 

Say x G {0, 1} ( , and assume that / outputs a single bit and that C/ is known 
to contain exactly n nand gates. (Neither of these assumptions is necessary, but 
we avoid complications for now.) It will be useful to distinguish between outgoing 
wires and ingoing wires of a circuit. Outgoing wires include the £ input wires 
of the circuit, along with the wire that exits each gate of the circuit; thus, in 
a circuit with £ inputs and n gates there are exactly £ + n outgoing wires. The 
ingoing wires are exactly the input wires to each gate of the circuit; thus, in a 
circuit with n two-input gates there are exactly 2 n ingoing wires. A circuit is 
defined by specifying the output wires, and by giving a correspondence between 

2 This does not account for any oblivious transfers performed in the universal-circuit- 
based approaches. However the number of oblivious transfers scales linearly in the 
input length, not the circuit size. 
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outgoing wires and ingoing wires; e.g., specifying that outgoing wire i (which 
may be an input wire or a wire exiting some gate) connects to ingoing wires j, k, 
and l. We stress that even though we speak of each internal gate as having only 
a single outgoing wire, we handle arbitrary fan-out since a single outgoing wire 
can be connected to several ingoing wires. 

In our description below, we assume for concreteness that P2 learns the output 
f(x). However, it is trivial to modify our protocol (with no additional cost) so 
that only Pi learns the output. See the remark at the end of this section. 

The protocol begins by having Pi generate and send a public key pk for a 
(singly) homomorphic encryption scheme Enc. Similar to Yao’s garbled-circuit 
technique, Pi then chooses t + n pairs of random keys that will be assigned to 
each of the outgoing wires. Let s'- denote the key corresponding to bit b on wire i. 
Then Pi sends 

[Enc pk(si), Enc pfc (s[)] , . . . , [Enc pfe (s° + J, Enc pfc (s] +T[ )] 

to P2. (It will become clear from what follows that Pi need not send the final 
encrypted pair [Enc p fc(s° +n ), Enc p fc(s) +n )] . We include it above for clarity.) 

P2, in turn, obliviously defines keys for each of the 2 n ingoing wires. P2 sorts 
the gates of C/ topologically, so that if the outgoing wire from some gate i 
connects to an ingoing wire of some gate j then i < j. This defines a natural 
enumeration of the outgoing wires in the circuit: outgoing wires numbered from 
1 to t correspond to the input wires of the circuit, and outgoing wire l+i (for 
i e { 1 , . . . , n}) corresponds to the wire exiting gate i. The output wire of the 
circuit corresponds to outgoing wire t + n. (Recall that here we assume / is 
boolean; in Section ITHI we relax this.) 

For each ingoing wire of the circuit, P2 does as follows. Say the ingoing wire 
of some gate i is connected to outgoing wire j. Then P2 chooses random a,- , 6 , 
and defines the (encrypted) keys for this ingoing wire to be 

[Enc p fc(oj • s° + ft,), Enc p fc(aj • s) + h)) , 

where the above is computed using the homomorphic properties of the encryp- 
tion scheme. (In the above, the ciphertexts are re-randomized in the usual 
way.) Two observations are in order: first, the (unencrypted) keys (r°, r 1 ) = 
+ bi, a, • sj + 6 j) are random and independent of j. Second, given s b it is 
possible for P2 to compute r b (using a t . 6 ,;); without s] -6 , however, P2 learns no 
information about r 1-b . (Recall we are in the semi-honest setting, so a,; , b t are 
chosen at random.) 

Expanding upon the above, say gate i of the circuit has its left ingoing wire 
connected to outgoing wire j and right ingoing wire connected to outgoing wire k. 
(As always, the outgoing wire from this gate is numbered £+ i.) Then P2 defines 
the encrypted “garbled gate” 

( [Enc *(*•*$ + hi), Enc pfe (a, •*] + &,)] 

[Enc pfc K- S ° + 6 '), Enc p ,(«' • .s' - /;')[ 

\ [Enc pfc (s? +i ), Enc pfc (^ +i )] 


encGGj = 
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where aj,6j,a(,6( are chosen uniformly at random. Finally, P? sends 
encGGi, . . . , encGG„ 

to P\. (In fact P^ need not transmit the final pair [Enc p fc(s° +i ), Enc p fc(s| +i )] of 
each encrypted garbled gate, since Pi knows it. We include it above for clarity.) 

Upon receiving this message, Pi decrypts each encGG to obtain, for each 
gate i, the three pairs of keys ([L °, L\] , [P°, Ft,]} , [s° +i , s] + J) . It then prepares a 
garbled version GG* of this gate in the usual way: namely, it computes the four 
ciphertexts 

C' b c <- sEnc L b (sEnc fl c (s^" d(6,c) )) , b, c e {0, 1} 

(where sEnc denotes a symmetric-key encryption scheme), and sets GG* to be 
the four ciphertexts (C' 0 0 , . . . , -, ) in random permuted order. Pi then sends 

GGi, . . . , GG„ to P 2 . In addition, Pi sends the appropriate input-wire keys s* 1 , 

. . . , sf, as well as both output- wire keys (s° +n , sj +n ) . 

P 2 now has enough information to compute the result, using a procedure 
analogous (but not identical) to what is done in a standard application of 
Yao’s garbled-circuit methodology. P 2 begins knowing a key Sj for each out- 
going wire i £ {1 . . . . , £}. (Recall these are the input wires of the circuit that 
correspond to Pi’s input.) Inductively, P 2 can compute a key for every outgoing 
wire as follows: Consider the ( l + i)th outgoing wire exiting from gate i, where 
the left ingoing wire to this gate is connected to outgoing wire j < i and the 
right ingoing wire to this gate is connected to outgoing wire k < i. Assume P 2 
has already determined keys Sj, su for outgoing wires j, k, respectively. P 2 com- 
putes keys Li = a t Sj + bi and P,; = a'.Sfc + b\ for the left and right ingoing wires 
to gate i. Then P 2 tries to decrypt each of the four ciphertexts in GG, ; . With 
overwhelming probability, only one of these decryptions will be successful; the 
result of this successful decryption defines the key se + i for outgoing wire t + i. 
Once P 2 has determined key S( +n , it can check whether this corresponds to an 
output of ‘O’ or T’ using the ordered pair (s^ +n , sj +n ) sent by Pi. 

Further details, intuition for security of the above, proofs of security, and 
extensions to handle malicious behavior of Pi are described in the sections that 
follow. A more efficient variant of the above protocol is described in Section Id. 21 

Remark 1: It is trivial to modify the above protocol, at no additional cost, so 
that only Pi learns the output (and P 2 learns nothing): first, change round 3 so 
that Pi does not send the output-wire keys (s° +re , sj +n ). Then when P 2 learns 
the final key S£ +n it simply sends this key back to Pi, who can then check 
whether it is equal to s° +n or sj +n . 

1.3 Other Related Work 

Several works have explored weaker variants of PFE. Paus et al. 0 consider 
semi-private function evaluation where the circuit topology (i.e., the connections 
between gates) is assumed to be known to both parties, but the boolean function 
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computed by each gate can be hidden. Here we treat the more difficult case where 
everything about the circuit (except an upper bound on its size and the number 
of inputs/outputs) is hidden. Another direction has been to consider PFE for 
limited classes of functions: e.g., functions defined by low-depth circuits jail, 
branching programs Jlfll . 0], or polynomials Here we handle functions 

defined by arbitrary (polynomial-size) circuits. 


2 Definitions 

Let k be the security parameter. A distribution ensemble X = {X(l k , a)}fceN, aev 
is an infinite sequence of random variables indexed by k £ N and a £ V, for 
V some specified set. The two ensembles X = [X(l k , a)}keN,aeT> and Y = 
{Y (l k , a) }feer%f, o.ev are computationally indistinguishable, denoted X = Y, if for 
every non-uniform polynomial-time algorithm D there exists a negligible function 
//(■) such that for every k and every a £ V 

| Pr[D(X(l k ,a)) = 1] - Pr[£>(y(l*») = 1] | < p(k). 


2.1 Private Function Evaluation 

Our definitions of security are standard, but we include them here for complete- 
ness. For simplicity, we treat the case where Pi holds some value x £ {0, l} e as 
input while P 2 holds a circuit Cf computing some deterministic function /; the 
goal of the protocol is for P 2 to learn f(x). The definitions we provide here, as well 
as our protocols, extend easily to handle, e.g., additional input provided by P 2 
(this can simply be incorporated into the circuit Cf), randomized functions /, 
or the case where Pi receives output (see Remark 1 at the end of Section 11.21) . 

The problem of PFE is meaningless in practice if P 2 learns the output and 
/ (resp., Cf ) is allowed to be completely arbitrary: in that case P 2 could take 
f(x) = x and learn Pi’s entire input! It is thus reasonable to impose some 
restrictions onCj. The most general formulation to assume that both parties 
fix some class C of circuits, and require that Cf £ C\ in that case we refer to the 
problem as C-PFE. This encompasses both the case when Pi knows some partial 
information about / (as in 0]), as well as the case where Cf is restricted in 
some way (e.g., to have low depth). In this work, we assume only that Pi knows 
the input length £, and upper bounds on the output length m and the number 
of gates n (i.e., C contains only circuits satisfying those constraints). Note that 
if to -C i then meaningful privacy of Pi ’s input is maintained regardless of what 
circuit Cf £ C is used by P 2 . 

There are two ways one could incorporate a security parameter k into the 
definition of the problem. The usual way, which we find less natural in our setting, 
is to allow the sizes of the inputs to grow and to set the security parameter equal 
to the input size(s). We prefer instead to treat the input domains (namely, {0,1}^ 
and some class of circuits C) as fixed, and to treat k as an additional input. 
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A two-party protocol for C-PFE is a protocol running in polynomial time and 
satisfying the following correctness requirement: if party Pi, holding input l fc 
and x, and party P 2 , holding input l k and Cf G C, run the protocol honestly, 
then (except with probability negligible in k) the output of P 2 is C/( x). 
Security in the semi-honest case. In the semi-honest case we assume both 
parties follow the protocol honestly but may each try to learn some additional 
information from their (respective) view. Fix C and let II be a protocol for C- 
PFE. The view of the ith party during an execution of II when the parties begin 
holding inputs x and Cf, respectively, and security parameter l k is denoted by 
viEwf r (l fc , x, Cf). The view of Pi contains Pj’s input and random tape, along 
with the sequence of messages received from the other party Pa-.,. 

When / is deterministic it suffices to consider the views of the parties in 
isolation, rather than their joint distribution u Sect. 7.2. 2.1]. We thus have: 

Definition 1. Protocol U is a secure C-PFE protocol for semi-honest adversaries 

if there exist probabilistic polynomial-time simulators S\,S 2 such that 

{Si (l > ®) } fceN, xefo, ip, CfUG := { V1EW 1 (- 1 - ,a: ’^/)}fceN,xe{o,i}qc / £C 

{S 2 ( lfc i < ^/!C , /( a: ))}fe eNiXe {o,l}*,C / 6C = { view 2 ( lfc > :E > ( ^/)}fe e N,xe{o ) iT,c / ec ' 

Security against malicious behavior. We refer to the full version of this 
paper j21l] for a definition of security against malicious adversaries within the 
usual real/ideal framework 0 . 

2.2 Tools 

We use a (singly) homomorphic public-key encryption scheme (Gen, Enc, Dec). 
The actual property we need is the ability to evaluate a pairwise-independent 
function on the plaintext space. If the plaintext space is a group G of prime 
order p, written additively, this can be achieved by mapping a G Z p , b 6 G, and 
Encpfe(m) to a (random) encryption of Enc p fc(am + 6). Thus, e.g., standard El 
Gamal encryption 0 can be used (though G in that case is usually written 
multiplicatively). In fact, the plaintext space is not required to have prime or- 
der, as we only require “almost” pairwise-independence. In particular, Paillier 
encryption 0 could also be used. 

We also use a symmetric-key encryption scheme (sEnc, sDec) whose key space 
is viewed as a group G (k) of order p = p{k) that is, for simplicity, the same as 
the plaintext space of the public-key encryption scheme being used. (In practice, 
this can be achieved for any desired G by implementing encryption with key 
g G G using AES with key SHA-l(g), truncated to 128 bits.) We impose the 
same requirements on (sEnc, sDec) as in 0: namely, that it have elusive and 
efficiently verifiable range. (These properties are easily satisfied.) In addition, 
we require (sEnc, sDec) to satisfy a weak form of related-key security where, 
roughly, encryption remains secure even when performed using linearly related 
keys (where the linear relations are chosen at random). That is: 
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Definition 2. Encryption scheme (sEnc, sDec) is secure against linear related-key 
attacks if the following is negligibly close (in k) to 1/2 for all polynomials d and 
all ppt adversaries A: 


Pr 


s <— G(ft); c f— {0, 1}; 

oi, ■ ■ -ad <— Z p(fc ) : A sBnCa i a +*^'’^’''' ,sEnCa <i a + b ^'’"\ai,bi, ...,a d ,b d )=c 
h ,...,b d *—G(k) 


where sEnCg(mo,mi) = f sEnc s (m c ). 

We remark that a weaker definition (where A queries each sEnc° , s+b . (•, •) only on 
two inputs, chosen nonadaptively) suffices for our proof. It is easy to construct an 
encryption scheme satisfying the above definition using a (non-programmable) 
random oracle, and it would be surprising if standard encryption schemes based 
on AES could be shown not to satisfy the above definition. Moreover, recent work 
of Applebaum et al. 0] can be used to construct a scheme satisfying the above 
definition in a provable sense, based on the decisional Diffie-Hellman assumption. 


3 A C-PFE Protocol for Semi-honest Adversaries 

3.1 Description of the Protocol 

We now formally define our C-PFE protocol for semi-honest adversaries. In our 
description here, we assume the reader is familiar with the protocol overview 
provided in Section 11.21 

We assume that all circuits in C are composed solely of nand gates. This is 
for simplicity only, and our protocol can be easily modified to handle circuits 
over an arbitrary basis of 2-to-l gates with only a small impact on the efficiency. 
Let n be an upper bound on the size of any circuit in C, and let m be an upper 
bound on the number of outputs. By adjusting n appropriately, we may assume 
that every circuit in C has exactly m outputs (P> can always add “dummy” 
outputs that are fixed to some constant); that the output wires of the circuit 
do not connect to any other gates (this can be achieved by adding at most m 
gates to the circuit); and that every circuit in C contains exactly n gates (P 2 can 
add “dummy” gates whose output wires are connected to nothing). We make all 
these assumptions in what follows. We also assume that P 2 learns the output; 
however, it is trivial to modify the protocol so that Pi learns the output; see 
Remark 1 in Section fOl 

Recall from Section [Ql that we distinguish between outgoing wires and ingo- 
ing wires of Cf. (Recall also that although each gate has only a single outgoing 
wire, we handle circuits with arbitrary fan-out since a single outgoing wire can 
be connected to several ingoing wires.) As in Section E3 party Pi sorts the gates 
of Cf topologically and this defines an enumeration of the N = f £ + n outgoing 
wires. The outgoing wires numbered from 1 to l correspond to the £ input wires 
of the circuit, and outgoing wire £ + i (for i £ {1, . . . ,n}) corresponds to the 
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output wire from gate i. The output wires of the circuit correspond to the m 
outgoing wires N — m + 1, . . . , N. 

We first define an algorithm encYao that prepares garbled gates as in Yao’s 
protocol: encYao takes as input three pairs of keys and outputs four ciphertexts, 
and is defined as 

encYao ([L°, L 1 ], [P°, P 1 ], [s°, s 1 ]) = f jsEnc L i> ^sEnc^e ^ s NAND ( fc > c )^j | ^ 

where the four ciphertexts are in random permuted order. We analogously define 
an algorithm decYao that takes as input two keys (for each of two ingoing wires) 
and a garbled gate, and outputs a key for the outgoing wire; this algorithm, given 
keys L, R and four ciphertexts { C ' 0 , C[, C' 2 , C3}, computes sDeci(sDeci?(C l f)) for 
all i and outputs the unique non-Y value that is obtained. (If more than one 
non-Y value results, this algorithm outputs Y.) 

Our protocol is described in Figure 1. Correctness holds with all but negligible 
probability, via an argument similar to the one in 0- 

In our description of the protocol we aimed for clarity rather than effi- 
ciency, and several improvements are possible. For one, P2 need not include 
[Enc p fe(s° +i ), EnCp/ c (s) + , : )] as part of encGG,; since Pi already knows these 
values. Furthermore, Pi need not send 

[Enc pfc (s^_ m+ i), Enc pfe (sjv_ m+ i)] , . . . , [Enc pfc (s^), Enc pfc (sjv)] 

in round 1 (since these outgoing wires do not connect to any ingoing wires). 
Moreover, Pi can set s ( ^ r _ m+1 = ■•■ = = 0 and sj^-_ m+ i = • • • = 1 (and 

then there is no need to send the output-wires message in the third round); that 
is, for gates whose outgoing wires are the output of the circuit, Pi can encrypt 
the wire value itself rather than encrypting a key that encodes the wire value. 

Security against a semi-honest Pi is easy to see. In fact, security in that case 
holds in a statistical sense. Indeed, with all but negligible probability it holds 
that ^ sj for all i G {1, . . . , N}. Assuming this to be the case, the top two rows 
of each encGG, sent by P2 to Pi in round 2 consist only of (random) encryptions 
of the four independent, uniform values 

ai-s^ + bi, ai-s^ + bi, a[ ■ s° k + b[, a' ■ s k + b[. 

In particular, these values are independent of the interconnections between gates 
of Cf, and thus the view of Pi is independent of the circuit held by P2. 

Security against a semi-honest P2 holds computationally, assuming seman- 
tic security of the homomorphic encryption scheme and security against linear 
related-key attacks for the symmetric-key encryption scheme. Roughly, the ini- 
tial encryptions sent to P2 in round 1 do not reveal anything about the values 
s°, sj that Pi assigns to each outgoing wire in the circuit. Thus, the information 
sent to P2 in round 3 is essentially equivalent to the information sent to P2 in a 
standard application of Yao’s garbled-circuit methodology, with the only differ- 
ence being that here ingoing wires and outgoing wires have different keys, and 
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Inputs: The security parameter is k. The input of Pi is a value x 6 {0, l} e , 
and the input of Pi is a circuit Cj with £, n, m as described in the text. 

Round 1 Pi computes ( pk,sk ) <— Gen(l fc ) and sends pk to Pi. In addition, 
Pi chooses N = £ + n pairs of random keys , s} for i 6 {1, . . . , IV}. It 
then sends to Pi the ciphertexts 

[EnCpfc(sS), EnCpfc(si)] , . . . , [Enc p fc(sjv), EnCpfc(s^)] . 

Round 2 For each gate * 6 {1, . . . , n} of Cf, with left ingoing wire connected 
to outgoing wire j, right ingoing wire connected to outgoing wire k, and 
outgoing wire £ + i, party Pi chooses a-,, b,. o', b[ uniformly (from the ap- 
propriate domains) and computes 

/ [EnCpfe(o» • s° + bt), Encp,( 0i • + ft*)] \ 

encGGi = [Encp fc (a' • + &<), Enc pfc (a< • 4 + fit)] 

V [Encp fc (s° +i ), EnCpfc (sj +i )] / 

using the homomorphic properties of Enc. (In the above, each ciphertext 
is re-randomized.) Then Pi sends encGGi, . . . , encGG„ to Pi. 

Round 3 For i e {1, ...,n}, party Pi decrypts encGGi using sk to obtain 
the three pairs of keys keySi = f ([L®,!/}], [P°,P}], [s° +i ,s} +i ]). It then 
computes GGi <— encYao(keys i ), and sends GGi,...,GG„ to Pi. Finally, 
Pi sends 

input-wires: s* 1 , . . . , s* e ; output-wires: (s?;_ m+ i, Sjv- m +i) , ■ ■ ■ , (s° N , slf) . 

Output determination Say Pi sent input-wires: si, . . . ,se to Pi in the pre- 
vious round. Then for all * E {£ + 1, . . . , £ + n}, party Pi does: If the left 
ingoing wire of gate i is connected to outgoing wire j < i and the right in- 
going wire of gate i is connected to outgoing wire k < i, then (1) compute 
Li = ciiSj+bi and Ri = a(.Sfc+6', and then (2) set s* = decYao(L», Ri, GGi). 

Once Pi has computed si, . . . , S( +n , it sets the }th output bit o, (for 
j €. {N — m + 1, . . . , N}) to be the (unique) bit for which Sj = s/ ■ 


Fig. 1. A C-PFE protocol for semi- honest adversaries 


Pi must compute a key L, on some ingoing wire by “translating” one of the keys 
Sj on the outgoing wire connected to that ingoing wire. 

We have: 

Theorem 1. Assume the homomorphic encryption scheme is semantically se- 
cure, and the symmetric-key encryption scheme is secure against linear related- 
key attacks and has elusive and efficiently verifiable range. Then the protocol of 
Figure 1 is a secure C-PFE protocol for semi-honest adversaries. 

Due to space limitations, a proof appears in the full version 0. 
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3.2 A More Efficient Variant 

In this section we describe a more efficient variant of our protocol in which the 
wire labels are chosen in a coordinated fashion, as in . Unfortunately, we are 
only able to prove security of the resulting protocol in the random oracle model; 
see further discussion at the end of this section. 

We merely sketch the basic idea. Now, in round 1, P\ chooses a global random 
shift r and £ + n outgoing-wire keys {s°}; it then sets = s° + r for all i. 
The first-round message from Pi now contains pk and the l + n ciphertexts 
EnCpfc(si), . . . , Enc p fc(s^ + J. 

For each ingoing wire of the circuit, P 2 does as follows. Say this wire is con- 
nected to outgoing wire j. Then P 2 chooses random a and defines the (encrypted) 
0-key for this ingoing wire to be (a re-randomization of) Enc p fc(s° + a), where 
this is computed using the homomorphic properties of the encryption scheme. 
Thus, if gate i of the circuit has its left ingoing wire connected to outgoing wire j 
and right ingoing wire connected to outgoing wire k, party P 2 defines the ith 
encrypted “garbled gate” via 


( Enc p k(s° + Oj) \ 
encGGj = Enc pfc (s° + a') , 

V Enc pfc (s^ +i ) j 

where a*, a\ are chosen uniformly at random. P 2 sends encGGi, . . . , encGG n to Pi. 

Upon receiving this message, Pi decrypts each encGG to obtain, for each 
gate i, the keys (L°,P°,,s° + -,). It defines Lj = L\ + r and Rj = P° + r, and 
then prepares a garbled version GGj of this gate as in the previous sections. P 2 
can then compute the result as usual. The entire protocol is roughly twice as 
efficient as the original. 

As we have mentioned, however, we are only able to prove security of this mod- 
ified protocol in the (non-programmable) random oracle model. Although it may 
appear possible to prove security in the standard model if the symmetric-key en- 
cryption scheme satisfies a strong enough definition of security, we were not able 
to isolate any suitable definition. In particular, correlation robustness Eldoes 
not appear to suffice, since there is a circularity when, e.g., keys s, s + r, s', s' + r 
are used to encrypt keys s'' and s" + r. (Some combination of correlation ro- 
bustness and circular security appears necessary.) The same issue seems to be 
present in the works of (23, |22| as well. 


4 Security for Malicious Adversaries 

As noted in the Introduction, we can apply zero-knowledge proofs in the stan- 
dard way 0 to obtain a protocol with linear complexity (and constant round 
complexity) that is secure against malicious adversaries. However, the resulting 
protocol is unlikely in practice to out-perform secure computation of universal 
circuits using efficient protocols for the malicious setting (e.g., 0). Here, we 
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sketch a more efficient construction that achieves security against a malicious Pi 
only. As in the previous section, our goal here is not to optimize the efficiency 
of the resulting protocol but rather to illustrate the main ideas. 

We continue to assume that P 2 learns the output, however Remark 1 of 
Section 11.21 applies here as well and so the protocol is easily modified so that 
only Pi learns the output. 


4.1 Protocol Modifications 

We introduce the following changes to the protocol described in Section Id. II 
Proof of well-formedness of pk. We require Pi to prove that the public key 
pk it sends in round 1 was output by the specified key-generation algorithm Gen. 
(This step is not necessary if it is possible to efficiently verify whether a given 
pk could have been output by Gen, as is the case with, e.g., El Gamal encryp- 
tion.) We remark further that it suffices for the proof to be honest- verifier zero 
knowledge (since we only require security against a semi- honest P 2 ), and we do 
not require it to be a proof of knowledge. 

The complexity of this step is independent of n. 

Validity of outgoing-wire keys. Let ,..., [C° r , 6(y] denote the ci- 

phertexts sent by Pi in round 1. (Recall that it is supposed to be the case that 
Cf = Enc pfc(sf).) We now require Pi to prove that (1) each C\ is a well-formed 
ciphertext with respect to the public key pk (once again, this step is unnecessary 
if it is possible to efficiently verify validity of ciphertexts, as is the case with El 
Gamal encryption), and (2) for each i, the ciphertexts C°, C) are encryptions of 
distinct values. If the encryption scheme is additively homomorphic, and we let 

(resp., sj) denote the plaintext corresponding to Cf (resp., C/), then P 2 can 
compute Enc p fc(s°— sj) and the latter step is equivalent to proving that this is not 
an encryption of 0. Once again, it suffices for these proofs to be honest- verifier 
zero knowledge and they are not required to be proofs of knowledge. 

The complexity of this step is linear in n since the statement being proved 
can be written as a conjunction of n statements, each of size independent of n. 

Correctness of garbled-circuit construction. We require Pi to prove cor- 
rectness of the garbled gates it sends to P 2 in the final round. This amounts to 
proving, for each i 6 {1, . . . , n}, that GGj was correctly constructed from encGGj. 
As before, it suffices for these proofs to be honest-verifier zero knowledge and 
they are not required to be proofs of knowledge. 

The complexity of this step is linear in n since the statement being proved 
is a conjunction of n statements, each of which has size independent of n. We 
also note that by using an appropriate homomorphic encryption scheme and 
symmetric-key encryption scheme, these proofs can be made (reasonably) ef- 
ficient using the techniques of Jarecki and Shmatikov M (who show efficient 
proofs for exactly this purpose, assuming a common reference string, using a 
variant of the Camenisch-Shoup encryption scheme 0). 
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Correctness of input-wire and output-wire keys. Finally, Pi is required 
to prove that the input-wire and output-wire keys it sends in the final round 
are correct. Let [C'j , C\ ] \C%, denote the ciphertexts sent by Pi in 

round 1 (recall it is supposed to be the case that C\ = Enc p fc(s*?)), and let 

input-wires: si,...,se and output-wires: (sjv_ m+ i, s jv— »•••> (sjv> s iv) 

be the values sent by Pi in the last round. Then Pi must prove that: (1) that 
for each index i £ {1 one of the ciphertexts C°, C} is an encryption 

of the plaintext Sj, and (2) that for each index i £ {TV — to + 1, . . . , IV}, the 
ciphertext Cf (resp., C ] ) is an encryption of (resp., sj). It suffices for each of 
these proofs to be honest- verifier zero knowledge; the first set of proofs (proving 
correctness of the input-wire keys) must be proofs of knowledge to allow for 
input extraction. (Alternately, if the proof of well-formedness of the public key 
is a proof of knowledge then proofs of knowledge are not needed here.) 

The complexity of this step is linear in l + m. 

We remark that most of the above proofs can be implemented efficiently for any 
homomorphic encryption scheme. The main exception is the proof of correctness 
of the garbled-circuit construction; however, as noted above, there exists at least 
one specific homomorphic encryption scheme for which this s tep can be done 
reasonably efficiently j2fl] ■ A proof of the following appears in |2Jj . 

Theorem 2. Under the same assumptions as in Theorem 0 the protocol of 
Figure 1 with the modifications described in the previous section is a secure C- 
PFE protocol for a malicious P\ . 

5 Conclusions and Future Work 

We have shown the first constant-round protocol for PFE with complexity linear 
in the size of the circuit being computed (without relying on fully homomorphic 
encryption). Our results leave several interesting open questions: 

— In addition to its theoretical importance, we believe our work is also of prac- 
tical relevance: specifically, we expect that our approach to PFE will be both 
easier to implement and more efficient (for large circuits) than approaches 
relying on universal circuits. It remains to experimentally validate this claim. 

— Our work leaves open the question of designing a fully secure protocol for 
PFE (i.e., PFE with security against a malicious Pi and a malicious P 2 ) with 
linear complexity that would have better performance than what results from 
running a secure computation of universal circuits using efficient protocols 
for the malicious setting (e.g., 0 )- 

— It would also be interesting to further improve on the cryptographic as- 
sumptions needed for our results: e.g., to construct a protocol based on se- 
mantically secure symmetric-key encryption (without requiring related-key 
security), or to avoid the use of homomorphic public-key encryption. 

The contents of this paper do not necessarily reflect the position or the policy 
of the US Government, and no official endorsement should be inferred. 
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Abstract. Bit-decomposition is an important primitive in multi-party 
computation (MPC). With the help of bit-decomposition, we will be able 
to construct constant-rounds protocols for various MPC problems, such 
as equality test, comparison, public modulo reduction and private expo- 
nentiation, which are four main applications of bit-decomposition. How- 
ever, when considering perfect security, bit-decomposition does not have 
a linear communication complexity; thus any protocols involving bit- 
decomposition inherit this inefficiency. Constructing protocols for MPC 
problems without relying on bit-decomposition is a meaningful work be- 
cause this may provide us with perfectly secure protocols with linear 
communication complexity. It is already proved that equality test, com- 
parison and public modulo reduction can be solved without involving 
bit-decomposition and the communication complexity can be reduced 
to linear. However, it remains an open problem whether private expo- 
nentiation could be done without relying on bit-decomposition. In this 
paper, maybe somewhat surprisingly, we show that it can. That is to 
say, we construct a constant-rounds, linear, perfectly secure protocol for 
private exponentiation without relying on bit-decomposition though it 
seems essential to this problem. 

In a recent work, Ning and Xu proposed a generalization of bit- 
decomposi-tion and, as a simplification of their generalization, they also 
proposed a linear protocol for public modulo reduction. In this paper, 
we show that their generalization can be further generalized; more im- 
portantly, as a simplification of our further generalization, we propose a 
public modulo reduction protocol which is more efficient than theirs. 
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1 Introduction 

Multi-party computation (MPC) is a powerful and interesting tool in cryptology. 
It allows a set of n mutually un-trusted parties to compute a predefined function 
/ with their private information as inputs. After running the MPC protocol, the 
parties obtains only the predefined outputs but nothing else, and the privacy 
of their inputs is guaranteed. Although generic solutions for MPC (which can 
compute any function /) already exist (3I9| . these solutions tend to be inefficient 
and thus not applicable for practical use. So, to fix this problem, we focus on 
constructing efficient protocols for specific functions. 

Recently, in the work [01, Damgard et al. proposed a novel technique called 
bit-decomposition which can, in constant rounds, convert a polynomial sharing 
of secret x into the sharings of the bits of x. Bit-decomposition (which will of- 
ten be referred to as BD hereafter for short) is a very useful tool for MPC. 
For example, after getting the sharings of the bits of some shared secrets us- 
ing BD, we can securely perform Boolean operations on these secrets (such as 
computing the Hamming Weight, XOR, etc). Thus we can say that BD can be 
viewed as a “bridge” (in the world of MPC) connecting the arithmetic circuits 
and the Boolean circuits. What’s more, with the help of BD, we can construct 
constant-rounds protocols for some very important basic problems in MPC, such 
as equality test, comparison, public modulo reduction and private exponentiation, 
which will be referred to as four main applications of BD. After getting the bit- 
wise sharings of the shared inputs to these problems (using BD) , we will be able 
to use the divide and conquer technique to solve these problems. 

However, a problem is, BD is relatively expensive in terms of round and 
communication complexities, and thus all the protocols relying on BD inherit 
this inefficiency. For example, the communication complexity of BD (with perfect 
security) is non-linear, thus all the protocols involving BD have a non-linear 
communication complexity. A feasible solution for this problem is to construct 
protocols for MPC problems without relying on BD. It is already proved that, 
three of the four main applications of BD, i.e. equality test, comparison and 
public modulo reduction, can be realized without relying on BD jllll2| and the 
main advantage is that the communication complexity can be reduced to linear 
(under the premise of ensuring perfect security). Thus a natural problem is 
whether a similar conclusion can be arrived at for another important application 
of BD: private exponentiation. This is generally believed to be impossible before 
(e.g. HU, Page 2; [HI . Page 2), however, in this paper, we show that it can. 
What’s more, we show an improvement of the public modulo reduction protocol 
(without BD) proposed in H21 • The details of our results are presented below. 
Here we’d like to argue that although these four applications of BD can be 
realized without involving BD, this does not mean BD is meaningless for these 
problems because all these protocols (without relying on BD) depend heavily 
on the ideas, techniques and sub-protocols of BD and thus can be viewed as an 
extension of the research on BD. 
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1.1 Our Results 

First we introduce some necessary notations. In this paper, we concern mainly 
about MPC based on linear secret sharing schemes (LSSS). Assume that the 
underlying LSSS is built on field Z p where p is a prime with bit-length l (i.e. 
I = [logp]). For an element x = (x*_i, ...,x\,xq) £ Z p , we use [x] p to denote 
“ the sharing of x” , and [x\b to denote 11 the bitwise sharing of x” (which will also 
be referred to as “the sharings of the bits of x" or “the shared base-2 form of x" 
in this paper), i.e. [x] B = (N-i] P , [x\] p , [x 0 ] p ). 

Our work is mainly about two basic problems in MPC: the private exponen- 
tiation problem and the public modulo reduction problem. We construct efficient 
protocols, which are constant-rounds, linear and perfectly secure, for these two 
problems. The details are presented below. 

The private exponentiation problem can be formalized as: 

[x a mod p) p <— Private-Exponentiationf [x ] p , [a] p ) 
where x,a £ Z p . 

Hereafter we will refer to [ x a mod p] p as [x a ] p for simplicity. For solving this 
problem, it seems that we must involve BD to get the bitwise sharing of the 
exponent, i.e. [a] b ■ This is exactly the case in the private exponentiation protocol 
in 0. However, in this paper we show that this is not necessary. That is to say, 
the private exponentiation problem can also be solved without relying on BD 
and the communication complexity can also be reduced to linear (in the input 
length l). Compared with the private exponentiation protocol in jOj (denoted as 
Pri-Expo-BD(-) in this paper), our protocol (denoted as Pri-Expo+(-)) reaches 
lower round complexity and much lower communication complexity. 

The public modulo reduction problem (which will be referred to as Pub-MRP 
for short) can be formalized as: 

[x mod m] p <— Public-Modulo- Reduction( [x] p , to) 

where x £ Z p and to £ {2,3, ...,p— 1}. 

Our work on this problem can be viewed as an extension of H2, in which 
Ning and Xu proposed a generalization of BD and, as a simplification of their 
generalization, they proposed a linear protocol for Pub-MRP without involving 
BD (denoted as Pub-MR(-) in this paper). In this paper, we propose a further 
generalization of their generalization and, similarly and more importantly, as 
a simplification of our further generalization, we propose a protocol for Pub- 
MRP with improved efficiency (denoted as Pub-MR + (-)). Specifically, the round 
complexity of our Pub-MR + (-) protocol is the same with Pub-MR(-) and, for 
relatively small m, the communication complexity is reduced by a factor of ap- 
proximately 4. 

We’d like to stress that all the protocols constructed in this paper are constant- 
rounds and perfectly secure. See Appendix E] (Table QJ for an overview of our 
protocols. What’s more, we strongly recommend the interested readers to read 
m which is the full version of this paper. Many of the details are omitted in 
the present paper due to space constraints. 
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1.2 Related Work 

Both of the two problems considered in this paper, exponentiation and mod- 
ulo reduction, are applications of bit-decomposition (BD). The problem of BD 
was first considered by Algesheimer et al. in p, in which a partial solution was 
proposed. The first full solution for BD in the secret sharing setting was pro- 
pose in jSj by Damgard et al. The main concern of this work is constant-rounds 
solution for BD and this is achieved by realizing various constant-rounds sub- 
protocols which are important building blocks for subsequent research including 
ours. What’s more, as an application of BD, they also proposed a private ex- 
ponentiation protocol which is the foundation of our work. Independently and 
concurrently, Schoenmakers and Tuyls [El solved the problem of BD for MPC 
based on (Paillier) threshold homomorphic cryptosystems J4l7j and they con- 
cern mainly about efficient variations of BD for practical use. In the work El. 
Nishide and Ohta proposed solutions for interval test, comparison and equality 
test of shared secrets without relying on the expensive BD protocol although 
it seems necessary. Their ideas and techniques play an important role in our 
work. Recently, Toft showed a novel technique that can reduce the communi- 
cation complexity of BD to almost linear j l M] . This is a very meaningful work 
and some key ideas of our work come from it. In a followup work, Reistad and 
Toft proposed a linear BD protocol d, however, the security of this protocol 
is non-perfect. 

As for the public modulo reduction problem (Pub-MRP), Guajardo et al. 
proposed a protocol for it in the threshold homomorphic setting without relying 
on BD jSj . Their protocol is very efficient (thus can be very useful for practical 
use) and is enlightening to this paper, however, they did not consider the general 
case (of Pub-MRP) where the inputs can be arbitrary size. In [13, Ning and Xu 
proposed a generalization of BD, and, as a simplification of their generalization, 
they proposed a linear protocol (without BD) for Pub-MRP which can deal with 
arbitrary inputs. Our work on Pub-MRP depends heavily on their work. 

2 Preliminaries 

In this section we introduce some important notations and known primitives. 

2.1 Notations and Conventions 

As mentioned above, the MPC considered in this paper is based on LSSS, such 
as Shamir’s d- We denote the underlying field (of the LSSS) as Z p where p is a 
prime with bit-length l = [ log p] . For a secret x e Z p , we use [x] p to denote the 
sharing of x and [x]b = ([®j-i]p, ..., [xi] p . [xo] p ) to denote the bitwise sharing of 
x. What’s more, assume that there are n participants in the MPC protocol. 

As in previous works, such as ECU, we assume that the underlying LSSS 
allows to compute [x + y mod p] p from [x] p and [y\ p without communication, 
and that it allows to compute [xy mod p] p from (public) x G Z p and [y\ p without 
communication. We also assume that the LSSS allows to compute [xy mod p] p 
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from [ic]p and [y\ p through communication among the parties and we call this 
procedure secure multiplication (or multiplication for simplicity). One invocation 
of this multiplication will be denoted as 

[xy mod p] p <— Sec-Mult([x] p , [y] p ) 

in which [xy mod p] p will be referred to as [xy\ p for simplicity. Obviously, for 
MPC protocols, this multiplication protocol is a dominant factor of complexity 
as it involves communication. So, as in previous works, the round complexity of 
the (MPC) protocols is measured by the number of rounds of parallel invocations 
of multiplication (Sec-Mult (•)), and the communication complexity is measured 
by the number of invocations of multiplication. For example, if in all a protocol 
involves a multiplications in parallel and then another b multiplications in par- 
allel, then we can say that the round complexity of this protocol is 2 and the 
communication complexity is a + b multiplications. What’s more, if a procedure 
does not involve any secure multiplication, then it can be viewed as free and will 
not count for complexity. For example, if we get [x] g , then [x] p can be freely 
obtained by a linear combination since x = X);=o x % ' 2 1 . 

As in CU, when we write [C] p , where C is a Boolean test, it means that 
C £ {0, 1} and C = 1 iff C is true. For example, we use [a; = y\ p to denote the 
output of the equality test protocol, i.e. (x = y) = 1 iff x = y holds. 

Given [c] p , we need a protocol to reveal c, which is denoted by c <— Reveal([c] p ). 
Note that although this protocol involves communication, it does not count 
for (both round and communication) complexity because the communication it 
involves can be carried out through a public channel. 

As in |17| . we will often use the conditional selection command below: 
[C\ p ^[b\ p ?[A] p : [B\ p 

in which A,B,C £ 7L p and b £ {0, 1}, and which means the following: 

If b = 1, then C is set to A; otherwise, C is set to B. 

It is easy to see that this command can be realized by setting 
\C\ P <— [fr]p([A] p — [-B] p ) + [B] p 

which costs only 1 round and 1 multiplication. We will frequently use this condi- 
tional selection command in this paper because it can make our protocols easier 
to be understood. 

2.2 Known Primitives 

We will now simply introduce some existing primitives which will be of impor- 
tance later on. We refer the readers to j6lllll8| for detailed descriptions of these 
primitives. 

• Random Bit Protocol. The Random-Bit(-) protocol has no input and it 
will output a shared uniformly random bit [b] p which is unknown to all par- 
ties. In the secret sharing setting, it takes only 2 rounds and 2 multiplications 

m ■ 
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Bitwise Less-Than Protocol. Given two bitwise shared inputs, [x]b and 
[j/]b, the Bit-LessThan(-) protocol can compute a shared bit [a; < y\ p which 
identifies whether x < y holds. The complexity of this protocol can be re- 
ferred to as 8 rounds and 14/ multiplications when Z > 36 holds which is 
often the case in practice |1 811 2 ) . 

Secure Inversion Protocol. Given a shared non-zero secret [x] p as input, 
the secure inversion protocol Sec-Inver(-) will output [a: -1 mod p] p . This 
protocol will cost only 2 rounds and 2 multiplications |2l6llllj . 

Unbounded Fan-In Multiplication. In this paper, we will often need to 
perform the unbounded fan-in secure multiplication 0E|,i-e. given Z sharings 
[A 0 ] p , [v4i] p , ..., [Ai-x\ p where Ai £ Z* for i £ {0, 1, ...,/ — 1}, computing a 
sharing [A] p where A = JJWj mod p. By the detailed analysis in [H], we 
get to know that this protocol, denoted as Sec-Prod* (•) in this paper, can 
be realized in only 3 rounds and 5 Z multiplications. 

Equal-Zero Test Protocol. In BH. a linear protocol Equ-Zero(-) was 

proposed for testing whether a given secret [x] p is 0 or not, i.e. we have 
[aj = 0] p <— Equ-Zero([x] p ). Obviously, this protocol can also be used to test 
“whether two shared secrets \x] p and [y\ p are equal” because “x = y” <*=> “(x— 
y ) = 0” . The complexity of this protocol is 8 rounds and 81/ multiplications. 

Generation of Bitwise Shared Random Value. This protocol, denoted 
by Solved-Bits(-), has no input and can output a bitwise shared random 
integer [r]s satisfying r < p. The complexity of this protocol can be referred 
to as 7 rounds and 56/ multiplications when / > 36 jTH| ■ 

Bit-Decomposition (BD). In the secret sharing setting, the function of 
BD can be described as converting [x] p to [x]b, he. we have [x\b <— BD([a;] p ) 
|6I1 8| . To the best of our knowledge, currently the most efficient version of 
BD [with perfect security) was proposed in ^Hj, whose complexity can be 
referred to as 23 rounds and 76/ + 31/ log / multiplications when / > 36; in the 
text when analyzing the complexities of (exponentiation) protocols involving 
BD, we will refer to the complexity of BD as above. We note that m also 
proposed a BD protocol with almost-linear communication complexity (i.e. 
0(Z log* /) multiplications or even lower). This is of course a very meaning- 
ful work. However, inevitably the round complexity of this version of BD 
is relatively high and thus for obtaining (private exponentiation) protocols 
with close and comparable round complexities, (as well as for notational 
convenience) we do not referred to this BD protocol in detail in the text. 
(Although we focus mainly on the communication complexity of protocols, 
the round complexity should also be considered.) We also note that in PS> 
a linear BD is proposed, however, the security of this BD protocol is (at 
most) statistical; so in the text we will not refer to this BD protocol in detail 
neither, because we focus on protocols with perfect security. 


578 C. Ning and Q. Xu 


3 Multi-party Computation for Private Exponentiation 
with BD 

In 0 , a constant-rounds private exponentiation protocol was constructed with 
the help of BD. This protocol is the foundation of our work and in our expo- 
nentiation protocol, we need to use the sub-protocols of it. So, in this section, 
we describe in detail this private exponentiation protocol with BD. We will first 
introduce two important sub-protocols of it, i.e. the public exponentiation pro- 
tocol and the bit exponentiation protocol. All the protocols in this section are 
re-descriptions of the ones in (Hj but with detailed analysis. 


3.1 The Public Exponentiation Protocol 

With a shared non-zero value [x] p (i.e. x 6 Z*) and a public value a G Z as 
inputs, the public exponentiation protocol, Pub-Expo(-), can compute [x a ] p . The 
details are presented in Figure [U Generally speaking, this protocol is a slightly 
improved version of the one in 0 . 


Protocol [ x a ] p <— Pub-Expo([i] p ,a) 

This protocol requires that x ^ 0. 

1. Every party Pi (i €. {1,2, ..., n}) picks a random integer n € Z* and computes 
7\ “. Then Pi shares n and r“ a between the parties, i.e. the parties get [ n] p and 

K a ] P - 

2. The parties compute 

[r\ p <- Sec-Prod*([n] p , [r 2 \ P , ..., [r n \ P ) 
i r ~ a ]p - Sec-Prod* ([rr“] P , [r^] p , ..., [r"-],) 

3. [xr\ p <- Sec-Mult([a;]p, [r] P ) 

4. xr <— Reveal([rr]p) 

5. Return [x a ] p = ( xr) a ■ [r _0 ]p 


Fig. 1. The Pubhc Exponentiation Protocol 

As for the correctness, notice that in Step 0| we need to reveal the value of 
xr where r is non-zero, and it is easy to see that xr = 0 4=> x = 0. This is just 
why this protocol requires x ^ 0: if x = 0, then the parties will get to know 
this in this step. Also note that in this protocol the public exponent (—a) is the 
additive inverse of a in the sense of mod (p — 1) rather than mod p. 

Privacy is straightforward. 

The complexity will be discussed in two cases: the semi-honest case and the 
malicious case. The difference between these two cases lies in Step Q] where every 
party Pi (i G {1, 2, ..., n}) is required to distribute two sharings, [r,] p and [r^ a ] p , 
between the parties. Below we will first analyze the complexity of this step. 
Before going on, recall the well-known fact that when considering the communi- 
cation complexity of MPC protocols (in the LSSS setting), 1 invocation of the se- 
cure multiplication is equivalent to distributing n sharings between the n parties 
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and thus the communication complexity of distributing 1 sharing (between the n 
parties) can be viewed as ^ multiplications. 

In the semi-honest case, all the n parties follow the protocol, so every party 
distributes 2 sharings between all the n parties, thus the complexity of Step [Q is 
1 round and £ ■ n = 2 multiplications. 

In the malicious case, as mentioned in jfjj, the complexity is much higher 
because we need to involve the cut-and-choose technique to make the protocol 
robust. Specifically, besides [r»] p and [r“ a ] p , every party P b (i £ {1, 2, ..., n}) 
is required to distribute another two sharings [sj] p and [s^“°] p . Then the parties 
involve the Random-Bit(-) protocol to jointly form a shared random bit [bi] p and 
open it. Then they open ([s*] p , [si” a ]p) or com Pute and open ([sjrj] p , [s~ a rf a } p ) 
according to the value of bi and then verify that the first value is non-zero 
and that the second value is the (— a)’th power of the first. We call the above 
process one instance of cut-and-choose. For every party Pi (i £ {1,2, ...,n}), to 
get a lower error probability, we can repeat the above process k (which satisfies 
k > 1 and which will be referred to as “ the security parameter for cut-and- 
choose") times in parallel, leading to an error probability 2~ k . Then we can 
say that in all we need kn instances of cut-and-choose in parallel. As for the 
complexity of one instance , we notice the following facts: distributing [sj] p and 
[sf a ] p between the parties involves ^ multiplications; the generation of [6J P 
involves 2 rounds and 2 multiplications and can be scheduled in parallel with the 
process of distributing [sj] p and [s“ a ] p ; the computation of ([si?**] p , [s“ a r“ a ] p ) 
involves 1 round and 2 multiplications and, obviously, on average we need only 
to compute ([s»ri] p , [sf a rf a ] p ) once every 2 instants of cut-and-choose because 
bi is a uniformly random bit. So, on average, the complexity of one instance is 
(at most) 2 + 1 = 3 rounds and ^ + 2 + 2- | = ^ + 3 multiplications. Recall 
that in all we need kn parallel instances of cut-and-choose. What’s more, notice 
that the process of cut-and-choose can be scheduled in parallel with the process 
of distributing [n] p and [r“ a ] p . So, in the malicious case, the complexity of Step 
G]is 3 rounds and 2 + kn ■ (^ + 3) = 2 + 2k + 3 kn multiplications. 

Then it is easy to see that, in the semi- honest case, the overall complexity 
of this Pub-Expo(-) protocol is R pu b — RpZb = 1 + 3 + 1 = 5 rounds and 
Cpub = Cpfb = 2 + 5n-2 + l = lOn + 3 multiplications; in the malicious case, 
the overall complexity is R pu b = R^f b l = 3 + 3 + l = 7 rounds and C pu b = 
C™ub = (2 + 2 k + 3kn) + 5n ■ 2 + 1 = 3 kn + lOn + 2k + 3 multiplication^. 
Recall that n denotes the number of the parties and k is the security parameter 
for cut-and-choose. Hereafter, we will generally refer to the complexity of this 
protocol as Rp U b rounds and C pu b multiplications. The values of R pv b and C pu b 

1 Thanks to one of the anonymous reviewers, we get to realize that (seen in isolation) 
we can combine Step |2| and Step 0 (in Figured by viewing [x] p as one of the inputs 
of the Sec-Prod* () protocol for computing [r] p ) to save 1 round; this is of course a 
meaningful improvement for a “constant-rounds” protocol. However, considering the 
parallel invocations of this Pub-Expo() protocol (e.g. in the forthcoming protocol in 
Figure El, we still separate these two steps (Step Eland Step EJ when analyzing the 
complexity. 
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are determined by the adversaries considered; moreover, we can say that both 
Rpub and C pu b can be viewed as constants because they are independent from 
(the input length) l. 


3.2 The Bit Exponentiation Protocol 

With a shared non- zero value [jc] p and a bitwise shared value 

[o]s = (h_i] p ,...,[ai] p ,[a 0 ] p ) as inputs, the bit exponentiation protocol, Bit- 

Expo^), can compute [x a ] p . The details are seen in Figure El 


Protocol [x a ] p <— Bit-Expo([*] p , [a] b ) 

This protocol requires that x ^ 0. 

1. For i = 0, 1 , I — 1 in parallel: [Ai\ p <— Pub-Expo([x] p , 2 Z ) 

2. For i — 0, 1 , I — 1 in parallel: [ Bi\ p <— [ai\ p ? [ Ai\ p : 1 

3. Return [x a ] p *- Sec-Prod* ([Bi_i]„, [-Bi] P , [B 0 ] p ) 

Fig. 2. The Bit Exponentiation Protocol 

Correctness and privacy is straightforward. The complexity of this protocol is 
Rpub + 1 + 3 = Rp U b + 4 rounds and C pu b -1 + 1 + 51 = ( C pu b + 6)1 multiplications. 


3.3 The Private Exponentiation Protocol with BD 

Here we come to the private exponentiation protocol relying on BD proposed in 
P|, which will be denoted by Pri-Expo-BD(-). Given two shared inputs [x] p and 
[a] p , Pri-Expo-BD(-) will output [x a ) p . This time, both x and a can be arbitrary 
values in Z p . See Figure 01 for the details. 


Protocol [x a ] p <— Pri-Expo-BD([a:]p, [a] p ) 

1. [6] p <— Equ-ZeroQrJj,) 

2. [x\ p = [x] p + [b] p 

3. [a] B - BD([a] p ) 

4. [x a ] p <— Bit-Expo([x] p , [a]s) 

5. Return [x a ] p = [x a ] p - [b] p 


Fig. 3. The Private Exponentiation Protocol with BD 

As for the correctness, notice that b = (x = 0) and that [x\ p = [x] p + [x = 0] p is 
always non-zero and thus can be given to Bit-Expo(-) as the first input. What’s 
more, it can be easily verified that [ x a ] p = [x; a ] p — [x = 0] p always holds no 
matter a; is 0 or not. Using x to substitute x to perform the protocol is in fact 
the “exception trick” proposed in p| for handling the special case where x = 0. 
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Privacy follows readily from only using private sub- protocols. 

The overall complexity of this protocol is 23 + ( R pu b + 4) = R pu b + 27 rounds 
and 81Z+(76Z + 31ZlogZ)-|-((C'p tl 6-|-6)Z) = l€>3l+C pu b-l+3ll\ogl multiplications. 
See j!3| for the detailed complexity analysis. 

4 Linear Multi-party Computation for Private 
Exponentiation 

In this section, we propose a private exponentiation protocol with constant round 
complexity and linear communication complexity. Specifically, we will first show 
how to remove the invocation of BD to get a protocol with linear communica- 
tion complexity. Then we will further improve this linear protocol to reduce the 
communication complexity considerably. 


4.1 The Private Exponentiation Protocol without BD 

See Figure 0 for our private exponentiation protocol without BD which will be 
denoted as Pri-Expo(-). 


Protocol [x a ] p <— Pri-Expo([x] p , [a] p ) 

1. [6] p <— Equ-Zero([®] p ) 

2. \x\ v = [*]p + [6] p 

3. [r]s <— Solved-Bits() > Recall that [r]s implies [r] p . 

4. = + 

5. c Reveal ([c] p ) >c = a + r mod p 

6. [G\ p <— Pub-Expo([i] p ,c) > C = x° mod p 

7. [C'] p <- Sec-Mult([C7]p, [*] p ) > C = C ■ x = x c+1 = x c+1+v( - p) = x c+p mod p 

8- [f]p Bit-LessThan(c, [r]s) 

9- [C\p <- [f]p ? (C'lp : [C] p >C = x a+r mod p 

10. [R] p v- Bit-Expo([i] P) [r]s) 

11. [R _1 ] p Sec-Inver([R] p ) > R -t = x~ T mod p 

12. [x a ] p <- Sec-Mult ([C] p , [R _1 ]p) 

13. Return [ x a ] p = [x a ] P — [6]p 


Fig. 4. The Private Exponentiation Protocol without BD 

Correctness: As for the correctness, similar to the Pri-Expo-BD(-) protocol 
(in Figure El), we use the non-zero [x] p to substitute [x] p to perform the main 
process. The main idea of this protocol is as follows. 

First we compute [C\ p = [x a+r ] p . Notice that we have c= a + r mod p and 
there are two cases: no wrap-around mod p occurs or there is a wrap-around. 
In the former case, a + r = c holds over the integers (or we can say “a + r = c 
holds unconditionally”) and then we have c > r because a > 0; similarly, in 
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the latter case, a + r = c + p holds over the integers (i.e. a + r = c + p holds 
unconditionally) and then we have c < r because c = r + (a — p) and a < p. 
So, for computing [ x a+r ] p , we can compute both of the two possible values of it, 
[x c ]p and [x c+p ] p , and then select the correct one; this selection can be carried 
out by testing whether c < r holds. What’s more, when computing [ x c ) v we 
need to involve the Pub-Expo(-) protocol; however, this is not necessary when 
computing [ x c+p ] p because we have: x c+p = x c +p-(p- 1 ) = x c + 1 — x c ■ x mod p. 

Then, in the following steps, after getting [R] p = [x r ] p using the Bit-Expo(-) 
protocol, we can obtain [ x a ] p based on the simple fact x a = x a+r ■ (x r )~ l mod p. 
Then finally [x a ] p can be easily obtained. 

Privacy: Privacy is straightforward. 

Complexity: As for the complexity, both in the semi-honest case and the ma- 
licious case, the complexity of this protocol (Pri-Expo(-)) can be referred to as 
8 + (R P ub + 6) + 1 = Rpub + 15 rounds and 

81Z + 56/ + Cpub + 1 + 14Z + 1 + ( Cpub + 6)Z + 2 + 1 = 157/ + Cpub ■ l + + 5 

multiplications (See for the detailed complexity analysis). Recall that both 
Rpub and C pu b can be viewed as constants, so this is a constant-rounds protocol 
with linear communication complexity. Compared with the (perfectly secure) 
Pri-Expo-BD(-) protocol proposed in d (whose complexity is R pu b + 27 rounds 
and 163Z + C pu b ■ l + 31/ log/ multiplications), our protocol has a lower round 
complexity and a significantly lower communication complexity. 

4.2 A Further Improvement 

In this section, we make a further improvement of our Pri-Expo(-) protocol 
above by improving one of the sub-protocols of it, Bit-Expo(-), which is often 
the dominate factor of the communication complexity. The improved version of 
Pri-Expo(-) and Bit-Expo(-) will be denoted as Pri-Expo + (-) and Bit-Expo + (-) 
respectively. Generally speaking, by replacing the invocation of Bit-Expo(-) with 
Bit-Expo+(-) in our Pri-Expo(-) protocol, we get our further improved private 
exponentiation protocol: Pri-Expo+(-). The details are presented below. 

In our Pri-Expo(-) protocol (in Figure EJ, Bit-Expo(-) is a very important 
sub-protocol. Recall that the communication complexity of this sub-protocol is 
(Cpub + 6)/ multiplications; what’s more, in the semi-honest case C pu b = = 

lOn + 3, and in the malicious case C pu b = = 3fc« + lOn + 2k + 3 (see 

Section EJ. In many cases, Bit-Expo(-) is relatively expensive. For example, 
in the malicious case, if we set n = 20 and k = 10, then the communication 
complexity of Bit-Expo(-) will be (C™" b l + 6)/ = 829/ multiplications; at the 
same time, the communication complexity of the (whole) Pri-Expo(-) protocol 
is (6™'^ + 157)/ + C™ b + 5 = 980/ + 828 multiplications. So we can see that, 
in this case, Bit-Expo(-) is obviously a dominate factor of the communication 
complexity of Pri-Expo(-). So, reducing the communication complexity of Bit- 
Expo(-) is very meaningful. 

The communication complexity of Bit-Expo(-) comes mainly from the / invo- 
cations of Pub-Expo(-) which is non-trivial (See Figure Eland Figured). Here we 
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show a technique that can reduce the number of invocations (of Pub-Expo(-)) 
to 2 y/l (with slight increase in round complexity) and thus reduce the commu- 
nication complexity significantly. The main idea is presented below. 

Consider the case that we want to compute x a . We divide the given exponent 
a = (o;_i, ..., ai, ao) into s blocks, each of which contains t bits. Obviously, 
we have s ■ t = l and 1 < s,t < l. We denote the rth block of a as a syt 
for i G {0,1,..., s — 1}, and denote the j’th bit of the rth block as af ' y 4 for 
j G {0, 1, ..., t - 1}. That is to say, we have 

a = (ai- 1, ..., oi, ao) = (a s s -i, a{ xt , «o X *) 

= ( a s-l,o) ; ••■) •••) a M 4 ) a l,0 4 ) l ( a 0, X -l) a 0 *l i a 0,0*) ) 

Obviously, a s j y ' t can be viewed as the rth digit of the base-2 4 form of a. What’s 
more, we have 4 = aj,. t +j ■ Now we have the following equations: 



Based on the above facts, we propose our improved Bit-Expo(-) protocol, Bit- 
Expo + (-), which is presented in Figure 0 Note that in Figure 0 for the con- 
venience of the forthcoming discussions, the two variables, s and t, are not 
assigned. We will discuss how to assign them when analyzing the complexity 
of this protocol. 


Protocol [x a ] p <— Bit- Expo" 1 " ([a:],,, [o]s) 

This protocol requires that x ^ 0. 

1. For j = 0, 1, ..., t — 1 in parallel: [Aj] p <— Pub-Expo([a;]p, 2 J ) 

2. For i = 0, 1, ..., s — 1 in parallel do 

For j = 0, 1, ..., t — 1 in parallel: [Bi } j] p <— [a® x4 ] p ? [Aj\ p : 1 
[Bi\ p <- Sec-Prod* ( [Si, 0 ]p, [Si, i] p , ..., [S ilt _ i] p ) 

[Cijp Pub-Expo([Si] p , (2*) i ) 

End for 

3. Return [x a ] p <— Sec-Prod* ([Co] p , [Ci \ p , ..., [Cs-ijp) 


Fig. 5. The Improved Bit Exponentiation Protocol 
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Correctness and privacy is straightforward. As for the complexity, notice that 
there are invocations of Pub-Expo(-) in both Step 0 arid Step El One important 
point is, these two places of invocations can be scheduled partially in parallel. 
Specifically, when the invocations (of Pub-Expo(-)) in Step 0 are proceeding with 
the first two steps of Pub-Expo(-) (See Figure 01, the invocations in Step 0 can 
also proceed with them. That is to say, although these two places of invocations 
can not be scheduled (completely) in parallel, they will cost only 1 more round 
than one single invocation (note that Step £3 through Step 0 in Pub-Expo(-) 
(Figure 0 involve only 1 multiplication). So, the complexity of this protocol is 
Rpub +l+3+l+3= Rpub + 8 rounds and Cpub - t + t- s + 5t- s + C pu b ■ s + 5s < 
Cpub • (s + 1) + 111 multiplications. (Recall that s - t = l and 1 < s < l.) 

It remains to assign concrete values to s and t. Note that we have “s + t > 
2 y/s ■ t = 2 VI” and “s + t = 2y 'T iff s = t = VI” ■ So we should set s = 
t = VI, because in this case the communication complexity of this Bit-Expo + (-) 
protocol will be the lowest, i.e. C pu 6-2\//+ll/ multiplications. Then, if we replace 
the invocation of Bit-Expo(-) in our Pri-Expo(-) protocol (in Figure 0 with 
the Bit-Expo + (-) protocol here, we will get an improved private exponentiation 
protocol (denoted as Pri-Expo+(-)) whose complexity is R pu b + 19 rounds and 
162/ + Cpub ■ 2 VI + C pu b + 5 multiplications. Compared with the Pri-Expo-BD(-) 
protocol in jOj (whose complexity is R pu b+ 27 rounds and 163/ + C pu h -1 + 311 log l 
multiplications), our Pri-Expo + (-) protocol reaches lower round complexity and 
much lower communication complexity. What’s more, we can say that, the larger 
Cpub is (which implies larger n and k), the greater advantage our protocol has. 
For systems with relatively more participants, higher security requirements and 
longer input length (i.e. /), our protocol can be of overwhelming advantage. (See 
Appendix IXI /Table 0 for an overview.) 

See P3| f° r some further discussions. 


5 Further Generalization of BD and Improved Solution 
for Public Modulo Reduction 

In this section, we propose a further generalization of BD and an improved 
solution for Pub-MRP. The work in this section depends heavily on the work in 
m which we’d strongly recommend the readers to read before going on. 

Given a sharing of secret x, BD allows the parties to extract the shared base-2 
form of x in constant rounds. In the work m, Ning and Xu show us a gener- 
alization of BD which is named as “Base-m Digit-Decomposition” (or “Base-m 
Digit-Bit-Decomposition”) and which can extract the shared (or bitwise shared) 
base-m form of x in constant rounds. We note that their generalization can 
be further generalized to a “Hybrid-base Digit- Decomposition” (or “ Hybrid-base 
Digit- Bit- Decomposition ”) protocol which can extract the shared (or bitwise 
shared) hybrid-base form of x; here hybrid-base means the base of every digit 
can be different. For example, if we denote 

“9 days 23 hours 59 minutes 59 seconds” 

(which could be the “Time Left” before the submission deadline of this 
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conference) as 

x = [9T23 | 59 | 59 | 

then x can be used to represent the total seconds (left) and can be viewed as 
a hybrid-base integer with bases (from left to right) 10, 24, 60, 60. Here the 
left-most base (i.e. “10”) can be set as we wish, but other bases are fixed. 

Below we discuss the relationship between “the value of an integer” and “the 
bases” in another point of view. Specifically, we list 3 cases below. 

1. Getting the base-2 form of x G Z p 

In this case, we get l = [logp] bits Xi G {0, 1} for i G {0, I . ..., Z — 1} satisfying 

*=y>,.2‘) 

i=0 


2. Getting the base-m form of x € Z p 

Similarly, in this case, for the given base nn > 2, we get lS m ) = [ log m p\ 
digits x\ m ^ G {0, 1, ..., m — 1} for i G {0, 1, ..., — 1} satisfying 

.-EV-m') 

i= 0 

3. Getting the hybrid-base form of x G Z p 

Given an size “array of bases” M[ ] = ...,mi,mo] satisfying 

rrii > 2 for i G {0, 1, ..., I ( - M ' ) — 1} and nilo'” 2 m » < P < riiLo >_1 we S et 
digits x^ M) G {0, 1, ..., rm - 1} for i G {0, 1, - 1} satisfying the 

following equation (in which we set m_ 1 = 1) 



Here, we call ..., x[ M \xq M ^ “the hybrid-base form of x defined by 

M[ ]”• 

It is easy to see that in the hybrid-base case (i.e. Case EJ) if we set the “array of 
bases” M[ ] to be [m, ...,m, m] where then we will get the base-m 

case (i.e. Case|2J); if we set M[ ] = [2,. ..,2, 2] where = l, we will get the 
base-2 case (i.e. CaseHJ). 

Given a shared secret [x] p and an “array of bases” M[ ], our “Hybrid-base 
Digit-Decomposition” (or “Hybrid-base Digit-Bit-Decomposition”) protocol, 
whose asymptotic complexity is 0(1) rounds and 0(l^ M) log l^ M) + 00 ( or 
0(1 log l)) multiplications, can output the shared (or bitwise shared) hybrid-base 

2 This term was mistakenly written as 0(l^ M ^ log in the submission; thanks to 
one of the anonymous reviewers for pointing this out. 
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form of x defined by M[ ] (i.e. the sharings (or bitwise sharings) of all the digits 
x[ M ' 1 for i £ {0, 1, .... — 1}) which will be referred to as [x]^ (or [x]jj >B ). 

That is to say, we have 

[ x \d Hybrid-Base-Digit-Decomposition([x] p , M[ ]); 

[x] d,b Hybrid-Base-Digit-Bit-Decomposition([x]p, M[ ]). 

The intuition behind our further generahzation is similar to that of the gen- 
eralization of BD in m- Specifically, as shown in Mi for getting the shared 
(or bitwise shared) base-m form of x, we need to randomize [x] p using a jointly 
generated random integer r whose bitwise shared base-m form is known to the 
parties; that is to say, the parties generate an array of bitwise shared base-m 
digits to form r; here, a base-m digit is in fact a non-negative integer less than 
m and the details of generating such a (bitwise shared) digit can be seen in p2i 
(the Random-Digit-Bit(-) protocol). Similarly, to obtain the shared (or bitwise 
shared) hybrid-base form of x (which is defined by M[ ]), we should randomize 
[x] p using a (jointly generated random) integer r + whose bitwise shared hybrid- 
base form ( which is also defined by M[ ]) is known to the parties. This is the 
key idea of our further generalization and is also the key difference between the 
generalization in H2 and our further generalization. 

More importantly, as a simplification of our “Hybrid-base Digit-Decomposi- 
tion” protocol, we can get an improved public modulo reduction protocol 
(denoted as Pub-MR+(-) here) which is more efficient than the one in P2J 
(denoted as Pub-MR(-)). Specifically, in fT2l . for solving Pub-MRP (i.e. com- 
puting [x mod m] p from [x] p and m £ {2,3, ...,p— 1}), Ning and Xu view this 
problem as extracting only (the sharing of) the least significant base-m digit 
of x, and thus their modulo reduction protocol (i.e. Pub-MR(-)) can be viewed 
as a simplification of their “Base-m Digit-Decomposition” protocol (which ex- 
tracts (the sharings of) all the base-m digits of x). In another point of view, 
we can say that they set M[ ] = [m, ..., m, m] and extract only (the sharing of) 
4 M) (see Case 01 above). This is of course correct because in this case we have 
x = Yll-o 1 ( K x i M> ‘ However, this is not a must, and, enlightened by fTT] 
and jHJ, we find that, by setting M[] — [2, ..., 2,2, m] where = [log [^J] +1, 
we can also solve Pub-MRP because in this case we have 


E 




■ 2 1 - 1 


■") 


and thus Xq M ^ = (x mod m). That is to say, in the case where M[ ] = [2, ..., 2, 2, to], 
if we extract only (the sharing of) the least significant digit of x, which can be 
viewed as a simplification of our “Hybrid-base Digit-Decomposition”, we can 
also get [x mod m] p ; this public modulo reduction protocol is just Pub-MR+(-). 

Comparison: Below we show the advantage of our Pub-MR + (-) protocol over 
Pub-MR(-). Similar to the generalization and further generalization of BD, when 
computing [x mod m] p from [x] p and m, both Pub-MR(-) and our Pub-MR + (-) 
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need to use a jointly generated random integer to randomize [aj] p [12! • The key dif- 
ference between these two (modulo reduction) protocols lies just in the genera- 
tion of this random integer. Specifically, in the Pub-MR(-) protocol, the random 
integer needed, denoted as r here, should be of a “hybrid-base” form defined by 
M[ ] = [m, ..., m, rn] where = /( m ); whereas in our Pub-MR + (-) protocol, the 
random integer needed, denoted as r + , should be of a hybrid-base form defined by 
M[ ] = [2, ..., 2, 2, to] where l = [log [^J] + 1. Then obviously, in Pub-MR(-) 
when generating r, we need to generate = l i ' m> (bitwise shared) base-m digits, 
whereas in our Pub-MR+(-) when generating r + , we need only to generate 1 such 
base-m digit. This is just the advantage of our improved public modulo reduction 
protocol; reducing the demand for such base-m digits is very meaningful because 
the generation of them is a non-trivial work. Specifically, when to is a non-power 
of 2, roughly speaking the generation of 1 such digit will cost 8 rounds and 64 L(to) 
multiplications where L{m ) = [log to] denotes the bit-length of to [T2I . 

Complexity: Finally, we conclude that, the complexity of our Pub-MR + (-) 
protocol is 22 rounds and (about) 78 1 + 276 L(m) multiplications. Compared 
with Pub-MR(-) (whose complexity is 22 rounds and (about) 326/ + 28 L(m) 
multiplications), we can see that, for relatively small to (thus L(m) is very small), 
the communication complexity is reduced considerably. For example, in the case 
where / = 256, m = 100 (then L(m) = [log 100] = 7), the communication 
complexity is reduced by a factor of approximately 3.8. 

6 Discussions 

We note that using the ideas in [TTJ , the round complexity of our private expo- 
nentiation protocols (as well as our public modulo reduction protocol) can be 
improved; the method is to use preprocessing, i.e. moving all the generation of 
(shared) random values (e.g. the invocations of Random-Bit (■)) to the beginning 
of the whole protocol. In the analysis of the round complexity of our protocols, 
we simply ignore this for clarity. 

An interesting point is that the communication complexity of our “Hybrid- 
base Digit-Decomposition” protocol and “Hybrid-base Digit-Bit-Decomposition” 
protocol can be reduced to “almost linear” using the techniques of (E!- Specif- 
ically, the only non-linear part of these two protocols is the computation of a 
prefix-o [611 2j : and the techniques proposed in [THj . which is used to reduce 
the complexity of the only non-linear part of BD (computation of a postfix- 
comparison) to “almost linear” , can also be used to reduce the complexity of the 
computation of this prefix - o to “almost linear” . 

7 Future Work 

In our private exponentiation protocol, we need an important sub-protocol called 
public exponentiation protocol (i.e. Pub-Expo(-)) for computing [x a mod p] p from 
[x] p and a public a. A problem is, the communication complexity of this sub- 
protocol is relatively high and more importantly, the communication complexity 
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depends on n and k (see Section HTI for the details). We leave it an open problem 
to construct more efficient protocols for this problem and protocols with commu- 
nication complexity independent from n and k would be most welcome. What’s 
more, in our private exponentiation protocol when involving Pub-Expo(-), the 
second input (i.e. the public a in Figure 0 is (almost) always a power of 2. So 
designing more efficient public exponentiation protocols for this special case is 
also meaningful. 

Acknowledgments. We would like to thank the anonymous reviewers for their 
careful work and helpful comments. 
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A An Overview of the New Protocols 

The details are presented in Table Q Below are some notes. 

As mentioned in Section 13.11 R pu b represents the round complexity of the 
public exponentiation protocol (i.e. Pub-Expo(-)) and C pu i, represents the com- 
munication complexity (of Pub-Expo(-)), and the values of R pu b and C pu b are 
determined by the adversary considered. Specifically, in the semi-honest case, 
Rpub = RpZb = 5 and C pu b = C p ub = + 3; in the malicious case, R pu b = 

R™ub = 7 an( l Cp U b = C ™ f = 3/cn + 10n+2/c+3, in which n denotes the number 
of the participants of the MPC protocol and k is the security parameter for cut- 
and-choose. Both Rp U b and C pu b can be viewed as constants because they are 
independent from (the input length) l. What’s more, as mentioned in Sectional 
L{m) = [log m] represents the bit-length of m. 


Table 1 . Overview of The New Protocols 


Protocol Description 

Rounds 

Multiplications 

x a 

p <— Pub-Expo([.x] p , a) 

Rpub 

Cp U b 

x a 

p <- Bit-Expo([a;]p, [a]s) 

Rpub + 4 

Cpub -1 + 61 

x a 

p Bit- Expo" 1 " ( [®]p , [a] s ) 

Rpub + 8 

C P ub ■ 2 VI + 111 

x a 

p <- Pri-Expo-BD ( [a;] p , [a] p ) 

Rpub + 27 

163/ -f- Cpub ' / + 31/ log / 

x a 

p Pri-Expo([a:] p , [o] p ) 

Rpub + 15 

1571 + Cpub ■ l + Cpub + 5 

[x a ] v <- Pri-Expo + ( [a:] j, , [a] p ) 

Rpub “h 19 

1621 + Cp U b ■ 2 Vl + Cpub + 5 

[x mod m] p <— Pub-MR([i] p ,m) 

22 

326 1 + 28 L{m) 

[x mod m\ P <- Pub-MR + ( [x ] p , m) 

22 

78 1 + 276 L{m) 
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demonstrate that homomorphism of commitments is not a necessity for 
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cation model. We present new VSS schemes based only on the definitional 
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schemes based on homomorphic commitments. Importantly, they have 
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1 Introduction 

The notion of secret sharing was introduced independently by Shamir HE and 
Blakley 0] in 1979. Since then, it has remained an important topic in cryp- 
tographic research. For integers n and t such that n > t > 0, an ( n,t)-secret 
sharing scheme is a method used by a dealer D to share a secret s among a 
set of n parties (the sharing phase) in such a way that in the reconstruction 
phase any subset of t + 1 or more honest parties can compute the secret s, but 
subsets of size t or fewer cannot. Since in some secret sharing applications the 
dealer may benefit from behaving maliciously, parties also require a mechanism 
to confirm the correctness of the dealt values. To meet this requirement, Chor 
et al. 0| introduced the concept of verifiable secret sharing (VSS). 

VSS has remained an important area of cryptographic research for the last 
two decades 0, 0-Q, E3, HE ED, HE HE H3|. In the literature, VSS schemes are 
categorized based on the adversarial computational power: computational VSS 
schemes and unconditional VSS schemes. In the former, the adversary is com- 
putationally bounded by a security parameter, while in the latter the adversary 
may possess unbounded computational power. Naturally, the computational VSS 
schemes are significantly more practical and efficient in terms of message and 
communication complexities as compared to the unconditional schemes. Thus, 

the majority of the recent research has been focussed on devising practical 
constructions for unconditional VSS. In this work, we revisit the concept of com- 
putational VSS HiEHE to settle the round complexity of computational VSS 
based on minimal cryptographic assumptions (which is cryptographic commit- 
ment in our case) and to investigate the role of homomorphism of commitment 
schemes in the context of VSS. 

Motivation and Contributions. The major savings in the computational 
VSS schemes come from the use of cryptographic commitments. Interestingly, 
we find that all computational VSS schemes in the literature except u App. 
A] (which satisfies weaker conditions; see related work) require these commit- 
ments to be homomorphic. However, homomorphism is not inherent to crypto- 
graphic commitments; it is an additional property provided by discrete logarithm 
(DLog), Pedersen 0 and few other commitment schemes. As we elaborate later 
in the paper, commitments can be designed from general primitives such as one- 
way functions or collision-free hash functions; but, homomorphism may not be 
guaranteed in these constructions. Furthermore, relying on as little assumptions 
as possible without much loss in efficiency is always a general goal in cryptog- 
raphy. Therefore, computational VSS schemes based only on the definitional 
properties of commitments can be interesting to study. 

In this paper, we show that homomorphism is not a necessity for VSS in 
both synchronous (known and bounded message delays) and asynchronous (un- 
bounded message delays) communication model. While our VSS schemes (in 
both network settings) based on any commitment scheme are almost as good 
as the existing computational VSS protocols using homomorphic commitment 
schemes in terms of communication, they are considerably better than the 
unconditional VSS schemes. 
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In the synchronous communication model with a broadcast channel, Gennaro 
et al. 0 initiated the study of round complexity (number of rounds required 
to complete an execution) and proved a lower bound of three rounds during the 
sharing phase and one round duri ng t he reconstruction phase for unconditional 
YSS. The work was extended in |l£J,|2£| with tight polynomial time constructions, 
and in by improving the bounds in a statistical scenario where the VSS 

properties are held statistically and can be violated with a negligible probability. 

The round complexity of computational VSS has never being formally ana- 
lyzed in the synchronous VSS literature. We observe that the round complexity 
of all known practical computational VSS protocols UM for the optimal re- 
silience of n > 2t + 1 is the same as that of unconditional VSS schemes: three 
rounds in the sharing phaseQ This similarity is surprising considering the us- 
age of commitments in computational VSS. We analyze the round complexity of 
computational VSS with homomorphic and non-homomorphic commitments. 

1. We show the impossibility of 1-round computational VSS protocol in the 
standard communication model under consideration; specifically, we prove 
that a computational VSS scheme with one round in the sharing phase is 
impossible for t > 2 or n < 3 1. However, we find that there exists a special 
1-round VSS construction for t = 1 and n > 4, when the dealer is one of the 
participants; we include the construction in the full version of the paper 0 ]. 

2. We then tighten our lower-bound result by providing a 2-round computa- 
tional VSS scheme for n > 2t + 1 using any commitment scheme. Existing 
VSS schemes 0,010 based on homomorphic commitments require three 
rounds for n > 2t+l. Comparing with unconditional VSS schemes, we notice 
that the message (the number of messages transferred) and communication 
(the number of bits transferred) complexities of our scheme are at least a 
linear factor less. Also, our scheme is better in terms of round complexity or 
resilience bound as compared to all known unconditional VSS schemes. 

We then provide a VSS scheme for n > 2t + 1 using homomorphic com- 
mitments that has the same message and communication complexities but 
requires one less round of communication as compared to |fj, [ij, [ 24 ] . 

Organization. In the rest of this section, we review the related work. In 
Section |5J we describe our adversary model, and definitions of VSS and com- 
mitments. We present all our results for the synchronous model in Sectional and 
those for the asynchronous model in Section El In Section 0 we discuss a few 
interesting open problems. Some of our proofs are shifted to the full version 0]. 

Related Work. For our work in the synchronous setting, we closely follow 
the network and adversary model of the best known VSS schemes: Feldman 
VSS Q and Pedersen VSS 0 These schemes are called non-interactive as 

1 Note that it is possible to reduce a round in sharing in 0,0 but that asks for 
a sub-optimal resilience of n > 3t + 1. Further, with a much stronger assumption 
of non-interactive zero-knowledge (NIZK), it is possible to reduce the number of 
sharing rounds to one for n > 2t + 1 in the public key infrastructure 0. 
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they require unidirectional private links from the dealer to the parties; non- 
dealer parties speak only via the broadcast channel. Our protocol assumes nearly 
the same network model; however, in addition, we also allow parties to send 
messages to the dealer over the private channels. In practice, it is reasonable to 
assume that private links are bidirectional. Note that we do not need any private 
communication links between non-dealer parties. 

It is also important to compare our results with unconditional VSS as we 
work towards reducing the cryptographic assumptions required for computa- 
tional VSS. In unconditional or information theoretic settings, there are two 
different possibilities for the VSS properties; they can be held perfectly (i.e., 
error-free) or statistically with negligible error probability. Perfect VSS is possi- 
ble if and only if n > 3t+l j§|, while statistical VSS is possible for n > 2t + 1 0 . 
assuming a broadcast channel. Gennaro et al. m initiated the study of the round 
complexity of unconditional VSS, which was extended by Fitzi et al. E3] and 
Katz et al. 0 . They concentrate on unconditional VSS with perfect security 
and show that three rounds in the sharing phase are necessary and sufficient for 
n > 3t+l. In the statistical scenario, Patra et al. 0 show that n > 3f+l is nec- 
essary and sufficient for 2-round statistical VSS. Recently, Kumaresan et al. 0 
extended the result to prove that 3 rounds are enough for designing statistical 
VSS with n > 2t + 1. 

The round complexity is never studied formally for computational VSS. In the 
standard model that we follow, the best known computational VSS protocols (§, 
03 01 require two rounds; however, they work only for a suboptimal resilience 
of n > 3t + 1. Although these schemes can also be adopted for n > 2t + 1, 
they then ask for three rounds. In addition, the only known VSS scheme among 
these that does not mandate homomorphic commitments, u App. A], does 
not satisfies the generally required stronger commitment property described in 
Section 12.21 In this paper, we improve all the above results by showing that 
two rounds are necessary and sufficient for (stronger) VSS with n > 2t + 1 
using (homomorphic or non-homomorphic) cryptographic commitments. Note 
that it is also possible to achieve 1-round VSS in the presence of a public- 
key infrastructure (PKI) employing NIZK proofs 0. However, NIZK proofs 
re quir es a common reference string or a random oracle. Furthermore, the scheme 
of 0 can only achieve computational secrecy, whereas our schemes can obtain 
unconditional or computational secrecy as required. 

For our work in the asynchronous setting, we follow the standard model of 
Cachin et al. 0 ]. In the asynchronous setting, Cachin et al. 0 ], Zhou et al. 0 , 
and more recently Schultz et al. 0 suggested computational VSS schemes. 
Of these, protocol by Cachin et al. is the most practical computational VSS 
protocol with 0(n 2 ) message complexity. However, all of these schemes rely on 
homomorphism of the commitment scheme. We avoid the use of homomorphism, 
while maintaining the message complexity of the VSS protocol by Cachin et al. 
0- Note that our protocol is significantly efficient in all aspects as compared to 
unconditional VSS schemes 0, y, 0, 0 in the asynchronous setting. 
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2 Preliminaries 

We work in the computational security setting, where k denotes the security 
parameter of the system, in bits. We assume that the dealer’s secret s lies over 
a finite field F p , where p is an k bits long prime. Our polynomials for secret 
sharing belong to F p [a;] or ¥ p [x, y], and the indices for the parities are chosen 
from Z p . Without loss of generality, we assume these indices to be (1, . . . , n}. A 
function e(-) : N — > R+ is called negligible if for all c > 0 there exists a kq such 
that e(ft) <1/k c for all k > kq. In the paper, e(-) denotes a negligible function. 


2.1 Adversary Model 

We consider a network of n parties V = {P\ . P- 2 , ■ ■ ■ , P„}, where a distinguished 
party D G V works as a dealer. Our adversary A is t-bounded and it can com- 
promise and coordinate actions of up to t out of n parties. We also assume that 
the adversary is adaptive] it may corrupt any party at any instance during a 
protocol execution as long as the number of corruptions is bounded by t. 

We work in the synchronous as well as the asynchronous settings , and post- 
pone the discussions on communication setting to the respective sections (syn- 
chronous model in Section 0 and asynchronous model in Section 0J) . 


2.2 VSS and Variants 

We now present a definition of VSS & A VSS protocol among n parties V = 

{Pi,Pz, . . . , P n } with a distinguished party D £ V consists of two phases: a 

sharing phase and a reconstruction phase. 

Sharing. Initially, D holds an input s, referred to as the secret, and each party 
Pi may hold an independent random input r,; . At the end of the sharing 
phase, each honest party Pi holds a view that may be required to recon- 
struct the dealer’s secret later. 

Reconstruction. In this phase, each party Pj publishes its entire view Vi from 
the sharing phase, and a reconstruction function Rec(vi; . . . ; v„) is applied 
and is taken as the protocol’s output. 

We call an n-party VSS protocol, with t-bounded adversary A, an (n, f)-VSS 

protocol if it satisfies the following conditions: 

Secrecy. If D is honest then the adversary’s view during the sharing phase 
reveals no information about s. More formally, the adversary’s view is iden- 
tically distributed for all different values of s. 

Correctness. If D is honest then the honest parties output the secret s at the 
end of the reconstruction phase. 

Commitment. If D is dishonest, then at the end of the sharing phase there 
exists a value s* £ F p U {_L}, such that at the end of the reconstruction phase 
all honest parties output s*. 
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The sharing phase as well as the reconstruction phase may consist of several 
communication rounds. A VSS protocol is considered efficient if the total com- 
putation and communication performed by all the honest parties is polynomial 
in n and the security parameter k. The optimal resiliency bound for VSS is 
n > 2t + 1 (in the presence of a broadcast channel) in the synchronous setting 
and n > 3t + 1 in the asynchronous setting. 

Variants of VSS. A few variants of VSS have been introduced as required in 
secret sharing applications. We briefly describe those below. 

1. In our VSS definition, we assume that secrecy is unconditional, while cor- 
rectness and commitment are computational. We can have a variation where 
secrecy is computational, and correctness and commitment are unconditional 
in nature. This is easily possible as secrecy and correctness of a VSS scheme 
are derived respectively from the hiding and binding of the commitment 
scheme under use. Our lower bound results hold for this variation as well. 
However, for computationally secure VSS, we can prove security only against 
a static adversary that chooses t parties before a protocol execution starts. 

2. In our VSS, the reconstruction may end with _L. By fixing a default value 
in F p (say 0) that will be output instead of _L, it is possible to say that 
s* G F p . However, as suggested in u Sec. 2.1], there is even a stronger VSS 
definition possible. The stronger definition has exactly the same secrecy and 
correctness properties, but has a stronger commitment property: 

Strong Commitment. Even if D is dishonest, at the end of the sharing 

phase, each party locally outputs a share of a secret s* chosen only from 
Fp such that shares from any t+ 1 honest parties are consistent with s*. 
For Shamir’s secret sharing, this property means that at the end of the shar- 
ing phase, there exists a f-degree polynomial f(x) such that a share s* held 
by every honest party Pj is equal to f(i). While our asynchronous protocol 
in Section 14.21 satisfies the basic VSS definition, our 2-round protocols in 
sections Id. 21 and Id. 41 satisfy the stronger definition. In the full version , we 
present an asynchronous protocol satisfying the stronger definition. 

3. Another stronger variant of VSS considers dealer D to be an external party 
(i.e., D £ V) and allows the t-bounded adversary to corrupt the dealer and 
up to t additional parties in V. 

Our lower bound results and all of our protocols except our one-round VSS 
protocol [jj work for this variant as well. We show that 1-round VSS with 
an external dealer is impossible even when t = 1 irrespective of the value of 
n and the number of rounds in the reconstruction phase. 

We work on VSS as a standalone primitive in this paper. The required VSS prop- 
erties, specially the commitment property, may change in some VSS application. 
We consider that to be an interesting future work and discuss in Section 0 

2.3 Commitment Schemes 

A cryptographic commitment scheme is a two-phase cryptographic protocol be- 
tween a committer and a verifier. 
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Commit Phase. Given a message m, a committer runs [C, (m, d)} = Commit(m) 
and publishes C as a commitment that binds her to message m ( binding ) 
without revealing it {hiding). The function may output an opening value d. 
Open Phase. The committer opens commitment C by revealing (m, d) to a 
verifier. The verifier can then check if the message is consistent with the 
commitment (i.e., m = Open (C,m,d)). 

We note that the commitment schemes also require a setup that generally in- 
volves choosing the cryptographic parameters. This can easily be included in the 
YSS setup and thus we do not consider it in detail. 

A commitment scheme cannot be unconditional (perfect or statistical) bind- 
ing and hiding at the same time. As a result, commitments come in two flavors: 
perfect (or statistical) binding but computational hiding commitments, and per- 
fect (or statistical) hiding but computational binding commitments. There are 
many applications of commitments where they may never be opened or opened 
only after a while. In such scenarios, commitments of the second type are gener- 
ally considered advantageous over the first type, since the committed values are 
hidden in information theoretic sense in the second type. 

Perfect hiding but computational binding (under the DLog assumption) Ped- 
ersen commitment scheme 0 is the most commonly used commitment scheme 
in computational VSS. It has an interesting additive homomorphic property that 
a product of two commitments C\ and C 2 (associated respectively with messages 
mi and m 2 ) commits to an addition of the committed messages (mi + m 2 ). 
However, with its rehance on the DLog assumption, this commitment scheme 
will not be suitable once quantum computers arrive. 

On the other hand, commitments of both types can be achieved from any 
one-way function (see 0 and references within). In this paper, we concentrate 
on the commitments of the second t ype, whose efficient constructions are pos- 
sible from any claw- free permutation fl~il ]. any one-way permutation 0 or any 
collision-free hash function 0 - Along with being non- homomorphic, some of 
these commitment constructions are also interactive in the nature. We restrict 
ourselves to the non-interactive commitment constructions (e.g., 0 and 0) as 
the interactive commitment constructions may increase the rounds complexity 
of our VSS schemes. 

3 VSS in the Synchronous Network Model 

Before presenting our results in the synchronous setting, we describe our 
synchronous communication model in detail. 

3.1 Synchronous Communication Model 

We closely follow the bounded-synchronous communication model in @, 00 . 
Here, the dealer is connected to every other party by a private, authenticated 
and bidirectional link. We do not require communication links between any two 
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non-dealer parties in V. We further assume that all parties have access to a 
common broadcast channel that allows a party to send a message to all other 
parties and every party is assured that all parties have received the same message 
in the same round. 

In the synchronous model, the distributed protocols operate in a sequence of 
rounds. In each round, a party performs some local computation, sends messages 
(if any) to the dealer through the private and authenticated link, and broadcasts 
some information over the broadcast channel. By the end of the round, it also 
receives all messages sent or broadcast by the other parties in the same round. 

Along with being adaptive and t-bounded, we allow the adversary to be rush- 
ing: in every round of communication it can wait to hear the messages of the 
honest parties before sending (or broadcasting) its own messages. By round com- 
plexity of VSS, we mean the number of rounds in the sharing phase only, since 
all of our protocols ask for single round during reconstruction. 


3.2 2-Round VSS for n > 2t + 1 from Any Commitment 

Here, we present a 2-round sharing and 1-round reconstruction VSS protocol 
for n > 2t + 1. Our 2-round VSS protocol allows any form of commitment. 
Feldman and Pedersen VSS schemes require three rounds for n > 2t + 1. The 
general structure of the sharing phase of their three round VSS schemes is: In 
the first (distribution) round, the dealer sends shares to parties and publishes a 
commitment on these shares. In the second round, parties may accuse (through 
broadcast) the dealer of sending inconsistent shares, which he resolves (through 
broadcast) in the third round. It is impossible to have distribution and accusation 
in the same round. Therefore, in order to reduce the number of rounds to two, the 
accusation and resolution rounds in VSS are collapsed into one round. To achieve 
this, the set of parties (in addition to dealer) performs some communication in 
the first round. We then employ a commitment-based modification of standard 
round-reduction technique from unconditional VSS protocols Sect. 3.1]. It 
involves every party publicly committing to some randomness and sending that 
randomness to the dealer in the first round. The dealer uses this randomness as a 
blinding pad to broadcast the shares in the next round. Further, we use bivariate 
polynomial instead of univariate polynomials used in Feldman or Pedersen VSS. 
In the absence of homomorphism and without using bivariate polynomial, we 
do not know how the parties can check if the degree of a shared univariate 
polynomial is t without using expensive NIZK proofs. 

Overview. In our 2-round protocol, dealer D chooses a t-degree symmetric 
bivariate polynomial F(x,y) such that F((). 0) = s, the secret that he wants 
to distribute. Note that all of our protocols in this paper work also with the 
asymmetric bivariate polynomials. However, for ease of understanding, we always 
use symmetric polynomials in our descriptions. Dealer D gives the univariate 
polynomial fi(%) = F(x, i ) to every party Pi and publicly commits to evaluations 
fi(j) for j G [1, n]. As already mentioned, we allow every party to communicate 
to D independently in the first round. Specifically, every party Pi sends n random 
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Protocol 2-Round-VSS(P>,7 :, ,s): Sharing Phase (Two Rounds) 

Round 1: Dealer D 

— chooses a random symmetric bivariate polynomial F(x , y) of degree-i such that 
F(0, 0) = s 

— computes [Com, y(/y,ry)] = Commit(/y) for i,j G [l,n] and i > j, where 
fii=F(i,j) 

— assigns Corny = Com ji and ry = Tji for i,j G [1, n] and i < j 

— sends (/y,ry) to Pi for j G [l,n] and broadcasts Corny for i,j G [l,n] 

Every other party Pi 

— chooses two sets of n random values (pn, ■ ■ ■ ,Pin) and (gn, ■ ■ ■ ,gin)- 

— computes [PComy, (py, gy)] = Commit(py) and [GComy , (py, hy)] = 
Commit(py) for j G [l,n]. 

— sends (py,gy) and (py,hy) for j G [l,n] to D, and broadcasts PComy and 
GComy for j G [1, n]. 

Round 2: Dealer D, for every party Pi, 

— verifies if py = Open(PComy, py, (jy) and py = 0 pen (GComy, py, hy) for j G 

[M 

— broadcasts (ay, /3y) for all j G [1, n] such that ay = /y +py and /3y = ry+py 
if the verification succeeds, and broadcasts (/y, ry) for all j G [1, n] otherwise. 

Party Pi 

— verifies if deg(/,(a:)) = t and /y = 0 pen (Corny , /y, ry) for j G [l,n], where 
fi(x) is the polynomial defined by /y s for j G [i r n]. 

— broadcasts nothing if the verifications succeeds, and broadcasts (py,gy) and 
(py > hij) for j G [l,n] otherwise. 

Pi is said to be happy if she broadcasts nothing, and considered unhappy otherwise. 

Local Computation: Every party Pk 

1. discards D and halts the execution of 2-Round- VSS, if D broadcasts 

— Corny / Com ji for some i and j 

— (fij,rij) such that /y / O pen (Corny, /y,ry) for some i and j 

— fij for j = [1, n ] that define polynomial of degree > t for some i 

— (/y,ry) and ( fji,rji ) for some i and j such that ( /y / fji) or (ry / ry) 

— (ay, Pij) and Pi broadcasts (py,gy) and (py,hy) such that py = 
Open(PComy, py, py),py = Open(GComy , py , hy ) for all j; and (/y / 
Open(Comy, /y, ry) or deg(/((a:)) > t) where /y =ay-py,ry = /3y-py 
and f'i(x) is the polynomial defined by /ys for j G [l,n]. 

2. discards an unhappy party Pi, if she broadcasts py and py for j G [l,n] such 
that py ^ Open (PComy, py,py) or py / Open (GComy , py, hy) for some j. Let 
Q be the set of non-discarded parties. 

3. outputs (fkj,rkj) for j G [1, n] as received in round 1, if Pk is happy and in Q. If 
she is unhappy and belongs to Q then she outputs (/y , ry ) for j G [1, n ] if they 
are broadcasted in round 2. Otherwise, Pk computes ( /y,ry ) for j G [l,n] as 
fkj = O-kj — Pkj and ry = /3y — py . 


Fig. 1. Sharing Phase of Protocol 2-Round-VSS(D, V, s) for n > 2t + 1 

values privately to D and publicly commits them. At the end of the first round, 
every party checks the consistency of his received univariate polynomial with 
the commitments of D and D checks consistency of his received values with 
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Protocol 2-Round-VSS(.D,'P, s): Reconstruction Phase (One Round) 

1. Each Pi in Q broadcasts (/(,-, ry) for j £ [l,nj 

Local Computation: For every party Pk, 

1. Party Pi £ Q is said to be confirmed if deg(/((a:)) = t and /(,• = 
Open(Comy, /y, 7y) for j £ [1 ,n], where /(( x) is the polynomial defined by 
flj ’ s for all j £ [1, n\. 

2. Consider /| (a;) polynomials of any t + 1 confirmed parties. Interpolate F' (x, y) 
and output s' = F'( 0, 0). 


Fig. 2. Reconstruction Phase of Protocol 2-Round- \/SS(D,P, s ) for n > 2t + 1 

the corresponding commitments of the individual parties. The second round 
communication consists of only broadcasts. Any inconsistency between the public 
commitments and private values as well as the pairwise inconsistencies in the 
bivariate polynomial distribution (i.e, fi(j) = fj(i )) are sorted out in the second 
round. Note that there will be agreement among the parties at the end of local 
computation of sharing phase; i.e. every honest party knows if D is discarded, 
otherwise every honest party has identical copy of Q, the set of parties allowed 
to participate in the reconstruction phase. 

In the reconstruction phase, every party discloses their respective univariate 
polynomials. They are verified with respect to the public commitments and the 
consistent polynomials are used for the reconstruction of the bivariate polynomial 
and consequently the committed secret s. We present the protocol in Fig. d and 
Fig- 121 We prove that the 2-Round-VSS protocol satisfies the stronger variant of 
VSS defined in Sectional 

Theorem 1. Protocol 2-Round-VSS is a VSS scheme for n > 2t + 1. 

Proof. We prove the secrecy, correctness and strong commitment properties of 
VSS to show that the above theorem holds. 

Secrecy. The secrecy of the scheme follows from the unconditional hiding prop- 
erty of the underlying commitment function and the property of symmetric 
bivariate polynomial. D's public commitments Corny ’s will be uniformly dis- 
tributed given the unconditional hiding property of the underlying commitment 
function. Moreover, the ay, /3y values for j £ [1, n] corresponding to honest Pfs 
will be uniformly distributed. Now the secrecy of the constant term of the D's 
degr ee-t bivariate polynomial follows from the standard information-theoretic 
argument H3 against an adversary controlling at most t parties, i.e., 

Pr[M computes s \ { V t for any t parties, Public Information}] = Pr[A computes s], 

where Vi represents all the information available at or computable by party Pi 
at the end of the sharing phase. 

Correctness. If D is honest, then he will never be discarded. Moreover, all 
the honest parties will be happy. Now, correctness will follow if we show that a 
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corrupted Pi £ Q is considered as confirmed only when she broadcasts correct 
polynomials in the reconstruction phase. Assume that corrupted Pi is consid- 
ered to be confirmed even when she broadcasts ff and r' ? for j £ [1, n], where 
these values are not equal to fy and (as given by D). We can then devise 
an algorithm to break the computational binding property of the commitment 
function using this adversary. Therefore, given that the commitment function 
achieves computational binding, all the confirmed parties disclose proper fij and 
rij for j £ [1, n\. Therefore, every honest party will correctly reconstruct F(x, y) 
and consequently s = F(0,0). 

Strong Commitment. We have to consider the case of a corrupted D. If D 
is discarded in the sharing phase, then every party may assume some default 
predefined value as D's secret. So we consider the case when D is not discarded. 

Firstly, note that an honest party will never be discarded. Moreover at the 
end of sharing phase honest Pj will output n points (i.e. /,/s for all j £ [1, n] j 
on a degree- 1 polynomial f%(x) and n values ry such that for every honest Pj, 
it holds that /q = f n and r t j = r, t . We show this by considering all the three 
cases for any pair of honest parties (Pj, Pj): 

If Pi and Pj are happy, then we have Com tJ = Com ji. Now Pj verified consis- 
tency of (Com ij, fij, rij), and Pj verified consistency of (Com ji,fji,rji). This 
implies the pair ( fij, r ij ) is same as ( fji,rj , ), unless corrupted D had broken 
the binding property of the commitment function. 

If Pi is happy and Pj is unhappy, then (Com ij,fij,rij) is consistent and also 
Com,; ;/ = Com,,;. For Pj, we have two cases: (1) D has broadcasted fj(k) and 
r : jk for k £ [1, n]: (2) D broadcasted Qjk, ffk for k £ [l,n] and Pj computed 
fik = otik—Pik , Tik = fik ~ Qik- However, in both the above cases, /,/ c and 
are consistent with Corn^ for all k £ [1, n] (for otherwise D would have been 
discarded). This also implies that tuple (Com ji,fji,rjf) is consistent. Again 
unless corrupted D had broken the binding property of the commitment 
function, the pairs ( fij, fij ) and (fji,rji) are identical. 

If Pi and Pj are unhappy, then D would have been discarded if the pairs 
(fij, r^) and (fji,rji) are not identical. 

So unless corrupted D breaks the binding property of commitment function, the 
polynomials of the honest parties define symmetric bivariate polynomials, say 
F(x,y). Now in the reconstruction phase, every honest party will be considered 
as confirmed. However, a corrupted party will be considered as confirmed if she 
broadcasts points on degree-f polynomial fi(x) = F(x, i) (assuming she does not 
break binding of commitment function). Let Pj broadcasts n points, say /b’ s, 
corresponding to /' (x) that is different from fi(x). Then fij must be different 
from fk at least for one j where Pj is honest. Then /b will not be consistent 
with Com, ;/ and Pj will not be confirmed. Now it follows that the parties will 
reconstruct D’s committed secret s = F(0, 0) in the reconstruction phase. □ 

The sharing phase of our 2-Round VSS protocol requires 0(n 2 n) bits of broad- 
cast and 0(h 2 k) bits of private communication, while the reconstruction phase 
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requires 0(n 2 /t) bits of broadcast. This communication complexity is at least a 
linear factor lower than the unconditional VSS schemes for n > 2t + 1 & On 
the other hand, it is also a linear factor higher than the communication com- 
plexity of 3-round Pedersen or Feldman VSS. This difference arises due to the 
use of bivariate polynomial in our protocol, which results from the lack of homo- 
morphism in the commitment scheme under use. We suppose this increase in the 
communication complexity is a price paid for a reduction in the assumptions. 
In subsection 13.41 we present a more efficient VSS protocol using homomorphic 
commitments that has same communication complexity as Pedersen or Feldman 
VSS, but requires one less round of communication. 


3.3 (Im)possibility Results for 1-Round VSS 

Here, we prove the impossibility of 1-Round VSS except when t = 1 and n> 4, 
which lower-bounds computational VSS for n > 2t + 1 and any t to a round 
complexity of two. Our 2-round protocol presented in the previous section thus 
has an optimal round complexity. Our results hold irrespective of computational 
or unconditional nature of the secrecy property. 

Theorem 2. 1-round VSS is impossible for t > 1 and n > 4, irrespective of the 
number of rounds in the reconstruction phase. 

Proof ( Sketch). The proof of this theorem is very similar to the proof of Theorem 
7 of j23| . We prove the theorem by contradiction. So we assume that 1-round 
VSS, say II, with t = 2 exists. Without loss of generality, we assume D to be some 
party other than Pi. We then show that for any execution if party Pi receives 
some particular piece of information from the dealer, then she will reconstruct a 
particular secret in the reconstruction phase irrespective of what P 2 , . . . , P„ has 
received from the dealer. This of course allows us to show a breach of secrecy 
of II, since Pi could be the sole corrupted party and can distinguish the secret 
when he receives the particular information. We note that the proof does not 
make any assumption on the computational power of Pi i.e. even a polynomial 
time Pi can breach the secrecy. Since the proof strategy is very similar to the 
proof of Theorem 7 of 0 , we skip the details here and present a detailed proof 
in the full version of the paper (U . 

Theorem 3. 1-round VSS is impossible for n < 3 1, irrespective of the number 
of rounds in the reconstruction phase. 

Proof (Sketch). This theorem is also proved by contradiction. In brief, we show 
that if such a scheme exists, then the the view of any t parties in the sharing 
phase must determine the secret. This further implies a breach of secrecy, since 
adversary A can corrupt and coordinate any t parties. A detailed proof appears 
in the full version of the paper 0 . 

In Theorem [3 we show that 1-round VSS is impossible for n < 3t, which implies 
the impossibility of 1-round VSS for t = 1 and n < 3. Further, in Theorem [21 


602 M. Backes, A. Kate, and A. Patra 


we show that 1-round VSS is impossible for t > 1 and n > 4. Therefore, 1-round 
VSS, if possible, will work for t = 1 and n > 4. We present a 1-round protocol 
in support of the corollary in the full version of the paper. 

VSS with an External Dealer. Here it can be shown that 1-round sharing 
VSS is impossible even in the presence of a single corruption apart from the 
dealer irrespective of the total number of parties and number of rounds in the 
reconstruction phase. Basically, we can follow the proof of Theorem Eland arrive 
at the same contradiction while assuming t = 1 and the dealer is corrupted. 
Hence, we have the following theorem. 

Theorem 4. 1-round, VSS with external dealer is impossible for t > 0 irrespec- 
tive of the number of parties and the number of rounds in reconstruction phase. 


3.4 An Efficient 2-round VSS Using Homomorphic Commitments 

We now present a 2-round sharing, 1-round reconstruction VSS protocol for 
n > 2t + 1 using homomorphic commitments. It has the same message and 
communication complexities as that of Feldman and Pedersen VSS schemes, 
and requires one less round of interaction. The protocol is similar to our 2-round 
protocol in Section 13.21 however, we do not need bivariate polynomials here. 

Without loss of generality, we use the Pedersen commitment scheme as a 
representative homomorphic commitment scheme. In the sharing phase, dealer 
D chooses two random degree-t polynomials f(x) and r(x) such that /( 0) = s. 
Dealer D then sends fi = f(i') and vy = r(i') to each Pi over the private links 
and broadcasts commitments on the coefficients of f(x) (using the coefficients 
of r(x) as random strings). By the end of the second round, every honest party 
must hold the correct point on the committed polynomial. To ensure that every 
Pi sends two pairs ( pi , q,) and ( gi , hi) in to dealer D and publicly commits Pi 
(using qi as a random element) and gi (using hi as a random element). Broadcasts 
and local computations in the second round are very similar to 2-Round-VSS in 
SectionEOl The protocol is presented in Fig. [3 Similar to 2-Round-VSS, we note 
that there will be agreement among the parties at the end of local computation 
of sharing phase on whether D is discarded or not. If D is not discarded, then 
every honest party will have identical copy of Q. 

Theorem 5. Protocol 2-Round-VSS-Hm is a VSS scheme for n > 2t+l. 

The proof of the theorem closely follows from the proof of Theorem Q and we 
include it in the full version of the paper. 

The sharing phase requires 0(nn) bits of communication over both the private 
links and the broadcast channel. The reconstruction phase requires 0(nn) bits 
of communication over the broadcast channel. 

4 VSS in the Asynchronous Communication Model 

We now shift our focus to the asynchronous communication setting where VSS 
is possible for n > 3t + 1. As we discuss in the related work, all known computa- 
tional VSS scheme mm in the asynchronous communication setting rely on 
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Protocol 2-Round-VSS-Hm(D, V, s) 

Sharing Phase: Two Rounds 
Round 1: 

1. D selects two random polynomials f(x) and r( x) of degree-i, such that 
/( 0) = s. Let f(x) = oo + ai x + . . . + atx t and r(x) = bo + bix + . . .-\-btx*. 

2. For every i £ [1, n\, D sends /; = f{i) and n = r(i) to P; and broadcasts 
Com* = Commit(oi, bi) for * = 0, . . . , t. 

3. Every party Pi sends two pairs (pi, qi) and (gi, hi) in Fp to D and broad- 
casts commitments PCom, = Commitfp,;. q. L ) and GCom, = Commit (< 7 ;,/i;). 

Round 2: 

1. D checks if PCom; and GCom; are consistent with the received pairs (p, , qi) 
and ( gi,hi ). If they are not consistent, then D broadcasts (/;,r;); else he 
broadcasts a; = /; + Pi and /3; = r; + <?;. 

2. Party Pi checks if Commit(/;, r;) = ^ not, then Pi broad- 

casts pairs ( pi,qi ) and (gi,hi), else she broadcasts nothing. Party P; is 
considered happy in the later case while she is unhappy in the former case. 

Local Computation: Every party P k 

1. discards D and halts the execution of 2-Round-VSS-Hm, if D broadcasts 

(a) /;, Ti for some i and Commit(/;, r;) nJ=o ( Com i) z3 ■ 

(b) a;;, Pt; and P; broadcasts (p;,g;) and ( gt,hi ) such that PCom; = 
Com m it (p;, qi) and GCom; = Commit and Commit(/;, r[) 
n^Co-ni) 1 where /; = a; — p; and r[ = Pi — gt. 

2. discards an unhappy party P; if she broadcasts ( Pi,qi ) and (g;,/i;) such 
that PCom; ^ Commit(p;, g;) or GCom; ^ Commit(p;, hi). Let Q be the set 
of non-discarded parties. 

3. outputs fk, f'k as received from D in round 1, if Pk is in Q and happy. An 
unhappy Pk in Q outputs fk, '/> if they are directly broadcasted by D in 
round 2. Else P k computes f k and r k as f k = a k - p k and r k = P k - g k - 

Reconstruction Phase: One Round 
Round 1: 

1. Each P; £ Q broadcasts /; and r;. 

Local Computation: For every party P k , 

1. Party P; G Q is said to be confirmed, if Commit(/;, r[) = n^oCCom;)^ ■ 

2. Consider /; values of any t + 1 confirmed parties and interpolate f'(x). 
Output s' = /'( 0). 


Fig. 3. Protocol 2-Round-VSS-Hm for n > 2t + 1 with Homomorphic Commitments 


homomorphism of commitments. In this section, we show that homomorphism 
is not necessary for computational VSS in the asynchronous communication set- 
ting. We build our protocol from asynchronous VSS of 0] as it is the only generic 
and efficient asynchronous VSS scheme known in the literature. Further, with 
its 0(n 2 ) messages complexity, it is extremely efficient in terms of the num- 
ber of messages. We modify this scheme so that it satisfies the VSS properties 
when the underlying commitment need not be homomorphic. This protocol does 
not guarantee that every honest party receive his share of the secret. However, it 
guarantees that even a corrupted D can not commit to T instead of a secret from 
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F p (which is stronger than the basic definition given in section 12.21) . We present 
another protocol in the full version that achieves the stronger definition where 
every party receives his share of the secret. Although this protocol increases the 
communication complexity by a linear factor in n, it is highly efficient in terms 
of communication when compared with the unconditional schemes 


4.1 Asynchronous Communication Model 

We follow the communication model of j§] and assume an asynchronous net- 
work of n parties Pi .... , P n such that every pair of parties is connected by an 
authenticated and private communication fink. We work against a f-bounded 
adaptive adversary that we defined in Section 12. U In the asynchronous commu- 
nication setting, we further assume that the adversary controls the network and 
may delay messages between any two honest parties. However, it cannot read 
or modify these messages as the links are private and authenticated, and it also 
has to eventually deliver all the messages by honest parties. In the asynchronous 
communication setting, a VSS scheme has to satisfy the liveness and agreement 
properties (also called as the termination conditions) along with the secrecy, 
correctness and commitment properties described in Section 12.21 

Liveness. If the dealer D is honest in the sharing phase, then all honest parties 
complete the sharing phase. 

Agreement. If some honest party completes the sharing phase, then all honest 
parties complete the sharing phase eventually. If all honest parties subse- 
quently start the reconstruction, then all honest parties will complete it. 


4.2 VSS for n > 3t + 1 from Any Commitment 

We observe that VSS of 0 heavily relies on homomorphism of the underlying 
commitment schemes and does not satisfy VSS properties if we replace the homo- 
morphic commitments by non-homomorphic commitments (agreement property 
will not be satisfied). The incapability stems from the fact that verifying the 
following with respect to non-homomorphic commitment is not easy: given com- 
mitments on n values (associated with n indices), the underlying values define 
a degree-f polynomial. However, we find that with subtle enhancements to VSS 
of Q, one can obtain an asynchronous VSS protocol. In our enhanced protocol, 
a majority (f + 1 or more) of the honest parties receives proper share of the 
secret (f-degree univariate polynomial), while the remaining honest parties are 
assured that there are t + 1 or more honest parties that have received f-degree 
univariate polynomial and can complete the reconstruction phase. The message 
and communication complexities of our protocol are same as that of VSS of 0 . 

In our protocol, D chooses a symmetric bivariate polynomial F( x, y) satisfying 
F( 0, 0) = s. He then computes an nxn commitment matrix, Com such that (i, j) th 
entry in Com is the commitment on F(i,j). Now D delivers /, (x) = F(x,i ) and 
Com to every Pj. In the rest of the protocol the parties try to agree on Com and 
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Protocol AsynchVSS(D,P,s) 

Sharing Phase: 

Code for D: 

— Choose a random symmetric bivariate polynomial F{x,y) of degree- f such that 
F(0, 0) = s. 

— Compute [Comij , (fij , nj)] = Commit(/ij) for i,j £ [l,n] and i > j, where fij = 

— Assign Comij = Com^i and Tij = rji for i,j £ [1, n] and i < j. Let Com be the n x n 

matrix containing Com ij for j £ [l,n] in the i th row. 

— Send (send, Com, fi(x),Ti(x)) to Pi, where fi(x) = F(x,i), n(x) is the degree-(n— 1) 
polynomial defined by the points ((1, rn), . . . ,(n, r; n )). 

Code for P,'. 

— On receiving (send, Com, fi(x), ri(x)) from D, send (echo, Com) to every Pj if (a) 
Com is an n x n symmetric matrix and (b) fi(j) = Open(Comjj, fi{j), ri(j)). 

— On receiving (echo, Com) from at least 2t + 1 parties (possibly including it- 
self) satisfying that Com received from Pj is same as received from D, send 

(ready, share-holder, Com) to every Pj, if you have already sent out echo mes- 
sages. 

— If you have not sent out any ready signal before: 

1. on receiving ready messages from at least i+l Pj 's satisfying that Com received 
from Pj is same as received from D, send (ready, share-holder, Com) to every 
Pj, if you have already sent out echo messages. 

2. on receiving (ready, share-holder, Com) from at least t + 1 Pj’ s such that all 
the Com are same but do not match with the copy received from D, update 
your Com with this new matrix, delete everything else received from D and 
send (ready, *, Com) to every Pj. 

— On receiving ready signals from at least 2t + 1 parties such that all of them contain 
same Com as yours and at least t + 1 ready signals contain share-holder, agree on 
Com and terminate. 

Reconstruction Phase: 

Code for P<: 

1. Send (fi(x),ri(x)) to every Pj if you had sent (ready, share-holder, Com) in the 
sharing phase. 

2. Wait for t+ 1 (fj(x),rj(x)) messages such that fj(x) is degree-f polynomial, rj(x) 
is degree-(n— 1) polynomial and fj(k) = Open(Comj fe , fj(k),Vj(k)) for all k £ [1, n], 
interpolate F(x, y) using those t + 1 fj (x) polynomials, compute s = F( 0, 0) as the 
secret. 


Fig. 4. Asynchronous VSS for n > 3t + 1 (optimal resilience) 

check whether their polynomials are consistent with Com or not. We observe 
that the parties do not need to exchange and verify their common points on the 
bivariate polynomial, given that agreement on Com can be achieved. Because, the 
parties can now perform local consistency checking of their polynomial with Com. 
In our protocol, some honest parties may not receive polynomials consistent with 
Com, however, they still help to reach agreement on Com sensing that majority 
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of the honest parties have received a common Com and also the polynomials 
received by them are consistent with Com. We describe the protocol in Fig. 01 

Lemma 1. If an honest party Pi sends a ready message containing Com and a 
distinct honest party Pj sends a ready message containing Com, then Com = Com. 

Proof. We prove this by contradiction. Let there exists an honest pair ( Pi,Pj ) 
such that Com ^ Com. The honest Pi communicates ready with Com if: (a) it 
receives (echo, Com) from at least 2t + 1 parties OR b) it receives (ready, •, Com) 
from at least t + 1 parties, where • can be either share-holder or *. Similar 
reasons apply for Pj who sends Com. If Pj and Pj send ready messages due to 

(a) , then it implies that there is at least one honest party who communicates 
echo messages with Com as well as with Com. This is impossible, since an honest 
party communicates echo with a unique matrix. For all other cases, we arrive 
at the contradiction that there is at least one honest party who sends echo with 
two different matrices or ready with two different matrices. We show this by 
considering the case when Pj sends ready due to (a) and Pj sends due to (b). 
The other cases will follow. Pj sends ready due to (b) implies that there is at 
least one honest party, say Pk who communicated ready with Com to Pj. Then 
by chain of arguments, we either get that honest Pi has sent ready with Com or 
get an honest party (possibly including Pj) who communicates ready with Com 
due to (a). In both cases, we arrive at contradiction, since no honest party can 
send echo/ready with two different matrices. Hence, we prove the lemma. □ 

Lemma 2. If some honest party Pi has agreed on Com, then every honest party 
will eventually agree on Com. 

Proof. To prove the lemma, it is enough to prove the following: If some honest 
party Pj has received 2t + 1 ready messages with Com such that at least t+ 1 of 
them contain share-holder, then every honest party will eventually receive the 
same. If Pi receives ready messages as above, then there are at least t + 1 honest 
parties who send out ready messages with Com and at least one of the honest 
party’s ready message must contain share-holder. An honest party sends out 
ready with share-holder in two cases: (a) She received at least 2t + 1 echo 
message with Com and it has sent out echo with Com. Among these 2t + 1 parties 
t + 1 are honest and they will eventually receive ready message from all the t+ 1 
honest parties who also sent the same to Pj (also by Lemma 01 if some honest 
party has sent a ready message with Com, then no other honest party will send 
ready with Com). Hence these t+ 1 honest parties will eventually send out ready 
with share-holder. Hence eventually every honest party will receive 2t + 1 
ready messages with Com such that at least t + 1 of them contain share-holder. 

(b) She received at least (t + 1) ready messages with Com and she has sent out 

echo with Com. Among these (t+1), there is at least one honest party, say Pfc. If 
Pfc has sent ready with share-holder, then by recursive argument this case will 
boil down to case (a). However if Pfc sends ready without share-holder, then 
he has received at least t+1 ready massages with share-holder which ensures 
existence of another honest P; who sent ready massage with share-holder. 
Now again by recursive argument, this case will boil down to case (a). □ 
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Lemma 3. If some honest party Pi has agreed on Com, then there is a set hi of 
at least t+ 1 honest parties each holding degree-t polynomial fj(x) such that it is 
consistent with Com and there is a symmetric bivariate polynomial F(x,y ) such 
that F(x, i) = fi(x). 

Proof. If honest Pj has agreed on Com, then she has received 2t + 1 ready mes- 
sages with Com such that at least t + 1 of them contain share-holder. From 
the previous proof, eventually t + 1 honest parties (possibly including Pi) will 
eventually send out ready with share-holder. So there will be a set of at least 
t + 1 honest parties who send out ready with share-holder. We claim that this 
set of honest parties, denoted by hi will satisfy the conditions mentioned in the 
lemma statement. We notice that the honest parties in hi never update Com and 
by previous lemma they eventually agree on the same. Also they send out echo 
well before sending out ready. This implies each honest party Pi in hi ensures 
that her polynomial fi(x) (i.e. the points on it) are consistent with Com. Now 
we proceed to show that there is a symmetric bivariate polynomial F(x,y) such 
that F(x,i) = fi(x). This can be shown by showing for every pair ( Pt,Pj ) from 
hi, fi(j) = fj(i) holds good. This follows from the fact that Pi and P 7 has same 
Com where they checked Corny = Com }) ; holds and then Pj and Pj individually 
ensured fy(j) = Open(Comy,/ i (j),r i (j)) and fj(i) = Open(Comjj, fj(i), re- 
spectively. If the above arguments do not hold then corrupted D has broken 
binding property of underlying commitment, as he knows how to open Corny in 
two different ways. □ 

Theorem 6. Protocol AsynchVSS is an asynchronous VSS for n > 3t + 1. 

Proof. Liveness. If D is honest, then every honest party will eventually send 
out echo and then ready with share-holder. Since there are at least 2t + 1 
honest parties, every honest party will eventually agree on Com. 

Agreement. Agreement follows from Lemma El 

Correctness. Correctness follows from Lemma El and El Honest dealer case is 
easy to follow. For a corrupted dealer the unique secret determined in the shar- 
ing phase is nothing but the constant term of F(x, y) defined by hi in Lemma 
El In the reconstruction phase, all the parties will reconstruct P’s secret us- 
ing the polynomials sent by the honest parties in hi. Specifically, every honest 
party will definitely consider fj(x),rj(x) sent by party Pj in hi. However, we 
will be done if we show that any wrong degree-t polynomial fj(x) sent by a 
corrupted party Pj will never be considered (unless corrupted Pj breaks binding 
of commitment). This is ensured by the following check performed by an hon- 
est party before considering Pj’ s polynomial for the reconstruction of F(x,y): 
fj{k) = Open(Com jk, fj{k),rj{k)) for all k G [l,n]. This check ensures that fj(x) 
must match with fj ( x ) at the t + 1 positions corresponding to hi. But then it 
implies fj(x) = fj(x). 

Secrecy. Follows from the properties of bivariate polynomial and the hiding of 
underlying commitment scheme. □ 
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5 Discussion and Future Work 

In this paper, we considered computational VSS as a standalone primitive. Our 
VSS schemes may also be easily leveraged in applications such as asynchronous 
Byzantine agreement protocols |j|. However, other VSS applications such as 
proactive share renewal and share recovery schemes UM and distributed key 
generation min heavily rely on homomorphism of the commitments. It repre- 
sents an interesting open problem if we can do better than in the unconditional 
case (e.g., @|) for these applications. Further, most of the threshold crypto- 
graphic protocols also rely on homomorphism to verify the correctness. It will 
be interesting to check the feasibility of these threshold protocols based our VSS 
schemes without using expensive zero-knowledge proofs. 

Finally, our schemes based on the definitional properties of commitments are 
expensive (by a linear factor) in terms of communication complexity in com- 
parison to the respective schemes employing homomorphic commitments. It is 
worthwhile to study whether this gap in communication complexity is inevitable. 
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Abstract. We present new families of access structures that, similarly 
to the multilevel and compartmented access structures introduced in 
previous works, are natural generalizations of threshold secret sharing. 
Namely, they admit an ideal linear secret sharing schemes over every 
large enough finite field, they can be described by a small number of 
parameters, and they have useful properties for the applications of secret 
sharing. The use of integer polymatroids makes it possible to find many 
new such families and it simplifies in great measure the proofs for the 
existence of ideal secret sharing schemes for them. 

Keywords: Cryptography, secret sharing, ideal secret sharing schemes, 
multipartite secret sharing, integer polymatroids. 


1 Introduction 

The first proposed secret sharing schemes by Shamir 03 and by Blakley 0 
have threshold access structures, that is, the qualified subsets are those having 
at least a certain number of participants. In addition, they are ideal, which 
means that every share has the same length as the secret. Moreover, as it was 
noticed by Bloom jZj and by Karnin, Greene and Heilman m, they are linear, 
which implies that both the computation of the shares and the reconstruction 
of the secret can be performed by using basic linear algebra operations. 

Even though there exists a linear secret sharing scheme for every access struc- 
ture HE!, the known general constructions are very inefficient because the 
length of the shares grows exponentially with the number of participants. Actu- 
ally, the optimization of secret sharing schemes for general access structures has 
appeared to be an extremely difficult problem and not much is known about it. 
Readers are referred to 0 for a recent survey on this topic. 

Nevertheless, this does not mean that efficient secret sharing schemes exist 
only for threshold access structures. Actually, the construction of ideal linear 
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secret sharing schemes for non-threshold access structures has attracted a lot of 
attention. This line of research was initiated by Kothari 12m , who presented some 
ideas to construct ideal linear secret sharing schemes with hierarchical properties. 
Simmons £23 introduced the multilevel and compartmented access structures, 
and presented geometric constructions of ideal linear secret sharing schemes for 
some of them. Brickell [2] formalized the ideas in previous works |7I I t)!2( UlTTlj and 
introduced a powerful linear-algebraic method to construct ideal linear secret 
sharing schemes for non-threshold access structures. In addition, he used that 
method to construct such schemes for the families of access structures introduced 
by Simmons j3D| - Tassa [211 an<; l Tassa and Dyn [22 combined Brickell’s jH| 
method with different kinds of polynomial interpolation to construct ideal linear 
secret sharing schemes for more general families of multilevel and compartmented 
access structures. Constructions for other interesting variants of compartmented 
access structures are given in jl fi!23 j . All these families of access structures have 
some common features that are enumerated in the following. 

1. They are natural and useful generalizations of threshold access structures. 
In the threshold case, all participants are equivalent, while the access struc- 
tures in those families are multipartite, which means that the participants 
are divided into several parts and the participants in the same part play 
an equivalent role in the structure. In addition, they have some interesting 
properties for the applications of secret sharing. Some of them are useful for 
hierarchical organizations, while others can be used in situations requiring 
the agreement of several parties. 

2. Similarly to the threshold ones, the access structures in those families admit 
a very compact description. Typically, they can be described by using a small 
number of parameters, at most linear on the number of parts. 

3. They are ideal access structures, that is, they admit an ideal secret sharing 
scheme. Actually, every one of those access structures admits a vector space 
secret sharing scheme, that is, an ideal linear secret sharing scheme con- 
structed by using the method proposed by Brickell 0. Moreover, the only 
restriction on the fields over which these schemes are constructed is their 
size, and hence there is no required condition about their characteristic. Ob- 
serve that this is also the case for threshold access structures, which admit 
vector space secret sharing schemes over every finite field with at least as 
many elements as the number of participants. 

4. Even though the existence of ideal linear secret sharing schemes for those 
access structures has been proved, the known methods to construct such 
schemes are not efficient in general. This is an important difference to the 
threshold case, in which the construction proposed by Shamir [221 solves the 
problem. Tassa j2D Section 3.3] presented an efficient algorithm for the mul- 
tilevel access structures. This is the only other family for which an efficient 
algorithm is known. 

5. Determining over which fields those schemes can be constructed is another 
open problem. It is unsolved even for threshold access structures. In this case, 
it is equivalent to the problem considered in [T] , and it is equivalent as well to 
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determine over which fields uniform matroids are representable (2H Problem 
6.5.12, Conjecture 14.1.5], and also to determine the size of maximum arcs 
in projective spaces m This is due to the well-known connection between 
threshold secret sharing and maximum distance separable codes j22j ■ Much 
less is known for the other families of multipartite access structures. Differ- 
ently to the threshold case, there is a huge gap between the known lower 
and upper bounds on the minimum size of such fields. 

Two questions naturally arise at this point. The first one is the search for new 
families of access structures with the properties above. The second one is to de- 
termine the existence of efficient methods to construct ideal linear secret sharing 
schemes for them, and to find better bounds on the minimum size of the fields 
over which such schemes can be found. 

Another related line of work deals with the characterization of the ideal ac- 
cess structures in several families of multipartite access structures. The bipartite 
access structures E3 and the weighted threshold access structures [3] were the 
first families for which such a characterization was given. Some partial results 
about the tripartite case were presented in |1 Oil 6| . On the basis of the well known 
connection between ideal secret sharing schemes and matroids jOj , Farras, Martf- 
Farre and Padro Da introduced integer polymatroids to study ideal multipartite 
secret sharing schemes. The power of this new mathematical tool was demon- 
strated in the same work by using it to characterize the ideal tripartite access 
structures. Subsequently, the use of integer polymatroids made it possible to 
characterize the ideal hierarchical access structures m 

This work is devoted to the search for new families of ideal access structures 
that are among the most natural generalizations of threshold secret sharing, and 
to the efficiency analysis of the methods to construct ideal secret sharing schemes 
for them. 

Our results strongly rely on the connection between integer polymatroids and 
ideal multipartite secret sharing presented in El, which is summarized here 
in Theorem 12.21 The concepts, notation and related facts that are required to 
under stand this result are recalled Section El Actually, the use of this tool pro- 
vides important advantages in comparison to the techniques applied in previous 
constructions of ideal multipartite secret sharing schemes |81 1 612 512 515 1 Id . 

While no strong connection between all those families was previously known, a 
remarkable common feature is made apparent by identifying the integer polyma- 
troids that are associated to those ideal multipartite access structures. Namely, 
they are Boolean polymatroids or basic transformations and combinations of 
Boolean polymatroids. This is of course a fundamental clue when trying to find 
new families of ideal access structures satisfying the aforementioned require- 
ments. 

By using other Boolean polymatroids, and by combining them in several dif- 
ferent ways, we present a number of new families of ideal multipartite access 
structures. Specifically, we present in Section [I] several generalizations of the 
compartmented access structures introduced in [8130162) . Section 0 deals with 
some families of partially hierarchical access structures that can be defined from 
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Boolean polymatroids. For instance, we present a family of compartmented ac- 
cess structures in which every compartment has a hierarchy. Ideal (totally) hi- 
erarchical access structures, which were completely characterized in [Ft] , are 
associated as well to a special class of Boolean polymatroids. Finally, we use 
another family of integer polymatroids, the uniform ones, to characterize in Sec- 
tion El the ideal members of another family of multipartite access structures: the 
ones that are invariant under every permutation of the parts. 

All integer polymatroids that we use to find new families of ideal multipartite 
access structures can be defined by a small number of parameters, linear on the 
size of the ground set, and they are representable over every large enough finite 
field. Actually, these requirements are implied by the conditions we imposed on 
the access structures to be simple generalizations of threshold secret sharing. We 
analyze in Section 0 the basic integer polymatroids as well as the operations to 
modify and combine them that are used in our constructions. In particular, the 
result we prove in Proposition 13.41 is extremely useful. 

We focus in this paper on a few examples that can be useful for the applica- 
tions of secret sharing, but many other families can be described by using other 
integer polymatroids with those properties, and surely some other useful families 
will be found in future works. 

Differently to the aforementioned previous works, our proofs that the struc- 
tures in these new families are ideal are extremely concise. Of course, this is due 
to the use of integer polymatroids. In addition, some easily checkable necessary 
conditions that are derived from the results in U2 make it possible to prove that 
certain given multipartite access structures are not ideal. This simplifies as well 
the search for new families. 

Even though the efficiency of the methods to construct actual ideal linear 
secret sharing schemes for those families of access structures has not been signif- 
icantly improved by using the results from H2|, they provide a unified framework 
in which the open problems related to that issue can be precisely stated. These 
open problems and some possible strategies to attack them are discussed in 
Section 0 

2 Preliminaries 

2.1 Multipartite Access Structures and Their Geometric 
Representation 

We introduce here some notation that will be used all through the paper. In 
addition, we present a very useful geometric representation of multipartite access 
structures that was introduced in f 121251 . 

We use Z + to denote the set of the non-negative integers. For every i,j e Z 
we write [i,j] ** {i,i + 1, . . . ,j} if i < j, while [i,i] = {«} and [i,j] = 0 if i > j. 
Consider a finite set J. We notate J' for a set of the form J' = J U \po} for 
some po £ J ■ Given two vectors u = and v = in Z J , we write 

u < v if Ui < Vi for every i G J. The modulus u of a vector u S Zj is defined 
by M = Y!iej u i- For every subset X C J, we notate u(X) = (uj)i £ x € TL X . 
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The support of u £ Z J is defined as supp('«) = {i £ J : u, 0}. Finally, we 
consider the vectors e l £ Z J such that e* 1 if j = i and e* = 0 otherwise. 

For a finite set P, we notate V(P) for the power set of P, that is, the set of 
all subsets of P. A family 77 = (IIi) ie j of subsets of P is called here a partition 
of P if P = |J ie j 77, and II j n iTj = 0 whenever i ^ j. Observe that some of 
the parts may be empty. If \J\ = to, we say that II is an m-partition of P. For 
a partition 17 of a set P, we consider the mapping II : P(P) — > Z J + defined by 
17(A) = (|AO fliDigj. We write P = 77(P(P)) = {u £ Z J + : u < (177;])^}. 
For a partition II of a set P, a II -permutation is a permutation a on P such 
that cr(77,) = II,. for every part 77* of II. An access structure on P is said to 
be II -partite if every 77-permutation is an automorphism of it. If the number of 
parts in II is m, such an access structure is called m-partite. 

A multipartite access structure can be described in a compact way by taking 
into account that its members are determined by the number of elements they 
have in each part. If an access structure F on P is T7-partite, then A £ P if and 
only if 71(A) £ II (P). That is, P is completely determined by the partition II 
and set of vectors 77(P) CPC Z J + . Moreover, the set 77(F) C P is monotone 
increasing, that is, if u £ II (P) and v £ P are such that u < v, then v £ II (P). 
Therefore, 77(F) is univocally determined by min 77(F), the family of its minimal 
vectors, that is, those representing the minimal qualified subsets of P. By an 
abuse of notation, we will use P to denote both a 77-partite access structure 
on P and the corresponding set 77(F) of points in P, and the same applies to 
minP. 

2.2 Polymatroids and Matroids 

A polymatroid S is a pair ( J, h) formed by a finite set J, the ground set, and a 
rank function h: V(J) — > R satisfying 

1. h(0) = 0, and 

2. h is monotone increasing : if X C Y C J, then h(X) < h(Y), and 

3. h is submodular : if X,Y C J, then h(X U Y) + h(X n Y) < h(X) + h(Y). 

If the rank function h is integer-valued, we say that S is an integer polymatroid. 
An integer polymatroid such that h{X) < A for every X C J is called a 
matroid. Readers that are unfamiliar with Matroid Theory are referred to the 
textbooks [24133] . A detailed presentation about polymatroids can be found 
in PHI Chapter 44] or jllij. 

While matroids abstract some properties related to linear dependency of col- 
lections of vectors in a vector space, integer polymatroids do the same with 
collections of subspaces. Let V be a K -vector space, and let (V)).; e j be a fi- 
nite collection of subspaces of V. It is not difficult to check that the mapping 
h: V{J) — ► Z defined by h(X) = dim(JT £X Vf) is the rank function of an integer 
polymatroid. Integer polymatroids and, in particular, matroids that can be de- 
fined in this way are said to be IK -representable. Observe that, in a representable 
matroid, dim V, < 1 for every i £ J, and hence representations of matroids are 
considered as collections of vectors in a vector space. 
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Let Z be an integer polymatroid with ground set J. Consider the set V of the 
integer independent vectors of Z , which is defined as 

V = {u £ Z+ : |u(X)| < h(X) for every X C J}. 

Integer polymatroids can be characterized by its integer bases, which are the 
maximal integer independent vectors. A nonempty subset B C Zi is the family 
of integer bases of an integer polymatroid if and only if it satisfies the following 
exchange condition. 

- For every u £ B and v £ B with Ui >Vi, there exists j £ J such that Uj < Vj 
and u — e* + e 7 ’ £ B. 

In particular, all bases have the same modulus. Every integer polymatroid is uni- 
vocally determined by the family of its integer bases. Indeed, the rank function 
of Z is determined by h(X) = max{|u(X) : u £ B}. 

Since only integer polymatroids and integer vectors will be considered, we 
will omit the term “integer” most of the times when dealing with the integer 
independent vectors or the integer bases of an integer polymatroid. 

If V is the family of independent vectors of an integer polymatroid Z on J, 
then, for every X C J, the set D \X = {u(X) : u £ D} C Z+ is the family of 
independent vectors of an integer polymatroid Z\X with ground set X. Clearly, 
the rank function h\X of this polymatroid satisfies (h\X)(Y) = h(Y ) for every 
Y C X. Because of that, we will use the same symbol to denote both rank 
functions. 

For an integer polymatroid Z and a subset X C J of the ground set, we 
write B{Z,X) to denote the family of the independent vectors u£V such that 
supp(w) C X and \u\ = h,(X). Observe that there is a natural bijection between 
B(Z,X) and the family of bases of the integer polymatroid Z\X . 


2.3 Integer Polymatroids and Multipartite Matroid Ports 

The aim of this section is to summarize the results in m about ideal multipartite 
secret sharing schemes and their connection to integer polymatroids. 

For a polymatroid S with ground set J' = J U {po}, the family r po (S) = 
{A C J : h(A U {po}) = h(A)} of subsets of J is monotone increasing, and 
hence it is an access structure on J. If S is a matroid, then the access structure 
r po (S) is called the port of the matroid S at the point po- As a consequence 
of the results by Brickell |H| and by Brickell and Davenport jS], matroid ports 
play a very important role in secret sharing. Ports of K-representable matroids 
are called K-vector space access structures. Such an access structure admits an 
ideal scheme that is constructed according to the method given by Brickell jH( • 
In addition, Brickell and Davenport jOj proved that the access structure of every 
ideal secret sharing scheme is a matroid port. This result was generalized in m 
by proving that the access structure of a secret sharing scheme is a matroid port 
if the length of every share is less than 3/2 times the length of the secret. 
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Definition 2.1. Let II = ( IIi)i e j be a partition of a set P of participants. 
Consider an integer polymatroid Z' on J' with h({po}) = 1 and /i({i}) < |I7i| 
for every i G J, and take Z = Z'\J. We define a II -partite access structure 
r po (Z',Il) in the following way: a vector u € P is in r po {Z' ,11) if and only if 
there exist a subset X G r po (Z') and a vector v G B(Z,X) such that v < u. 

The following theorem summarizes the results from M about the connection 
between ideal multipartite access structures and integer polymatroids. An access 
structure is said to be connected if all participants are in at least one minimal 
qualified subset. 

Theorem 2.2 (|T2j). Let II = (IIi)iej be a partition of a set P. A II-partite 
access structure r on P is a matroid port if and only if it is of the form 
P P0 (Z',n) for some integer polymatroid Z' on J' with /i({po}) = 1 and h({i}) < 
\IIi\ for every i G J. In addition, if Z' is K-representable, then r po {Z' ,11) is an 
L.-vector space access structure for every large enough finite extension L of K. 
Moreover, if r is connected, the integer polymatroid Z' is univocally determined 

by r. 

3 Some Useful Integer Polymatroids 

In order to find families of ideal multipartite access structures with the required 
properties, we need to find families of integer polymatroids that are representable 
over every large enough finite field and can be described in a compact way. 
To this end, we describe in the following two families of integer polymatroids, 
namely the Boolean and the uniform ones, and several operations to obtain new 
polymatroids from some given ones. 

3.1 Operations on Polymatroids 

We begin by presenting two operations on polymatroids: the sum and the trun- 
cation. The first one is a binary operation, while the second one is unitary. 

The sum Z\ + Z^ of two polymatroids Z\ , Z-i on the same ground set J and 
with rank functions hi, /12, respectively, is the polymatroid on J with rank func- 
tion h = hi + h-2- If Zi , Z2 are K-representable integer polymatroids, then their 
sum is K-representable too. Clearly, if Zi is represented by the vector subspaces 
(U)ie J °f V and Z2 is represented by the vector subspaces (IT,;),; e j of W, then 
the subspaces (V) x W l ) ie j of V xW form a representation of the sum Z 1 + Z2. 
If T>i,T>2 C Z+ are the sets of independent vectors of Z-y and Z2, respectively, 
then, as a consequence of (23 Theorem 44.6], the independent vectors of Zi + Z2 
are the ones in T>i + T> 2 = {'«i + '«2 : iti G T>i, U2 G V 2 }. Therefore, the bases 
of Zi + Z2 are the vectors in Bi + B 2 , where B\ , B2 C are the families of the 
bases of those polymatroids. 

For an integer polymatroid Z on J with rank function h and a positive integer 
t with t < h{J), it is not difficult to prove that the map h! defined by h'(X) = 
min{/i(A’), t} is the rank function of an integer polymatroid on J, which is called 
the t-truncation of Z. Observe that a vector x G Z^ is a basis of the t-truncation 
of Z if and only if x is an independent vector of Z and x = t. 
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3.2 Boolean and Uniform Polymatroids 

We introduce here two families of integer polymatroids. 

The Boolean polymatroids form the first one. They are very simple integer 
polymatroids that are representable over every finite field. Consider a finite set 
B and a family ( Bf)i e j of subsets of B. Clearly, the map h(X) = 
for X C J is the rank function of an integer polymatroid Z with ground set J. 
A Boolean polymatroid is an integer polymatroid that can be defined in this 
way. Boolean polymatroids are representable over every field K. If |B| = r, we 
can assume that 5 is a basis of the vector space V = K r . For every i G J, 
consider the vector subspace Vi = (Bi). Obviously, these subspaces form a K- 
representation of Z. The modular polymatroids are those having a modular rank 
function, that is, h(X\jY) + h(XC\Y) = h(X) + h(Y) for every X,Y C J. Every 
integer modular polymatroid is Boolean, and hence it is representable over every 
finite field. A Boolean polymatroid is modular if and only if the sets {Bf)i e j are 
disjoint. Observe that the rank function of an integer modular polymatroid is of 
the form h{X) = Yliex h far some vector b G Z+. Actually, this vector is the 
only basis of such a polymatroid. 

Proposition 3.1. Every truncation of a Boolean polymatroid is representable 
over every large enough finite field. 

Proof. For a field K and a positive integer t, we consider the map ipt- IK — ► 
IK* defined by = {l,x,. . . ,x t ~ 1 ). Observe that, for every t different field 

elements x\, . . . ,m% G K, the set of vectors {ipt (xi) : £= 1, ...,£} Is linearly 
independent. Let Z be a Boolean polymatroid with ground set J, take r = h(J), 
and consider a field K with |K| > r. Take B C IK with \B\ = r and a family 
(. Bi) ieJ of subsets of B such that h(X) = |J ieX f° r every X C J. For a 
positive integer t < r and for every i G J, consider the vector subspace V C IK* 
spanned by the vectors in {i/>t(x) : x G Bj}. Clearly, these subspaces form a 
IK-representation of the i-truncation of the Boolean polymatroid Z. □ 

The second family that is introduced in this section is the one of the uniform 
polymatroids. We say that a polymatroid Z with ground set J is uniform if 
every permutation on J is an automorphism of Z. In this situation, the rank 
h{X) of a set X C J depends only on its cardinality, that is, there exist values 
0 = ho < h\ < ■ ■ ■ < h m , where m = |J|, such that h(X) = hi for every 
X C J with \X\ = i. It is easy to see that such a sequence of values hi defines a 
uniform polymatroid if and only if hi — hi-i > h l+ \ — hi for every i G [1, m — 1]. 
Clearly, a uniform polymatroid is univocally determined by its increment vector 
5 = (<5i , . . . ,S m ), where Si = hi — hi- 1 . Observe that 5 G IR m is the increment 
vector of a uniform polymatroid if and only if > • • ■ > 6 m > 0. A uniform 
polymatroid is a matroid if and only if <5* G {0, 1} for every i = 1, . . . , m. In this 
case, we obtain the uniform matroid U r>m , where r = max{* G [l,m] : Si = 1}. 
It is well known that U r _ rn is IK-representable whenever |IK| > m. Obviously, the 
sum of uniform polymatroids is a uniform polymatroid whose increment vector 
is obtained by summing up the corresponding increment vectors. The next result 
was proved in M 
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Proposition 3.2 (ua, Proposition 14). Every uniform integer poly matroid 
is a sum of uniform matroids. In particular, every uniform integer polymatroid 
with ground set J is representable over every field K with |K| > | J\. 

3.3 Multipartite Access Structures from Bases of Integer 
Polymatroids 

We present in the following a consequence of Theorem 12.21 that is very useful 
in the search of new ideal multipartite access structures. Namely, we prove that 
a multipartite access structure is ideal if its minimal vectors coincide with the 
bases of a representable integer polymatroid. We need the following result, which 
is a consequence of m Proposition 2.3]. 

Proposition 3.3 (DU)- Let Z be an integer polymatroid with ground set J and 
let A be an access structure on J. Then there exists an integer polymatroid Z' 
on J' with h({po}) = 1 and Z = Z'\J such that A = r po {Z') if and only if the 
following conditions are satisfied. 

1. If X CY C J and X <£ A while Y G A, then h(X) < h(Y) - 1. 

2. IfX,YeA and X nY £ A, then h(X U Y) + h(X n Y) < h(X) + h{Y) - 1. 

Proposition 3.4. Let Z be a K-representable integer polymatroid on J and let 
r be a II -partite access structure whose minimal vectors coincide with the bases 
of Z. Then T is an L -vector space access structure for every large enough finite 
extension L of K. 

Proof. The access structure A = {X C J : h(X) = h(J)} and the integer poly- 
matroid Z satisfy the conditions in Proposition l3.3l Moreover, for this particular 
access structure, if Z is K-representable, then the integer polymatroid Z' whose 
existence is given by Proposition 13.31 is L-representable for every large enough 
finite algebraic extension L of K. Indeed, consider a K-vector space V and vec- 
tor subspaces forming a K-representation of Z. A representation of Z' 

is obtained by finding a vector vq € V such that no ^ Yhiex ^ for every X C J 
with h(X) < h(J). Since Yliex ^ V if h{X) < h(J), such a vector exists if K 
is large enough. Finally, it is not difficult to check that the minimal vectors of 
r po (Z', II) coincide with the bases of Z. □ 

4 Compartmented Access Structures 

4.1 Compartmented Access Structures with Upper and Lower 
Bounds 

Simmons jSD| introduced compartmented access structures in opposition to the 
hierarchical ones. Basically, compartmented access structures can be seen as a 
modification of threshold access structures to be used in situations that require 
the agreement of several parties. In a compartmented structure, all minimal 
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qualified subsets have the same size, but other requirements are added about 
the number of participants in every part, or the number of involved parts. 

The first examples of compartmented access structures were introduced by 
Simmons |2Q|. Brickell jB| introduced a more general family, the so-called com- 
partmented access structures with lower bounds, and showed how to construct 
ideal secret sharing schemes for them. These are the 77-partite access structures 
defined by min P = {u £ P : \u\ = t and u > a} for some vector afZj and 
some positive integer t with t > |a|. The compartmented access structures with 
upper bounds are the 77-partite access structures with min I ' = {u £ I’ : \u\ = 
t and u < b}, where b £ Z+ and t £ Z + are such that bi < t < \b\ for every 
i £ J. They were introduced by Tassa and Dyn isa, who constructed ideal secret 
sharing schemes for them. 

We introduce in the following a new family of compartmented access struc- 
tures that generalize the previous ones. Namely, we prove that the compart- 
mented access structures that are defined by imposing both upper and lower 
bounds on the number of participants in every part are ideal. 

For a positive integer t and a pair of vectors a,b £ Z+ with a < b < II (P), 
and |a| < t < \b\, and bi < t, consider the 77-partite access structure P defined 
by 

minP = {ifP : \x\ = t and a < x < b}. (1) 

The compartmented access structures with upper bounds and the ones with 
lower bounds correspond to the compartmented access structures defined above 
with a = 0 and with b = II (P) , respectively. We prove in the following that the 
access structures (QJ are ideal by checking that they are of the form r 0 (Z', II) for 
a certain family of representable integer polymatroids. Given a positive integer 
t and two vectors a, b £ h J + with a < b and |a| <t< |6|, consider the vector 
c = b — a £ Z+ and the integer s = t — \a\ £ Z + . Let Zy be the integer 
modular polymatroid defined by the vector a, and let Z2 be the s-truncation 
of the integer modular polymatroid defined by the vector c. Then the integer 
polymatroid Z = Z\ + Z2 is representable over every large enough finite field. 
The family of bases of Z is B = {x £ Z+ : \x\ = t and a < x < b}. By 
Proposition Id. 41 this proves that the compartmented access structures of the 
form ([I} are vector space access structures over every large enough finite field. 

4.2 Compartmented Compartments 

We introduce next another family of compartmented access structures. In this 
case, instead of an upper bound for every compartment, we have upper bounds 
for groups of compartments. Take J = [1 ,m\ x [l,n] and a partition 71 = 
(Hij)(i,j)eJ °f the set P of participants. Take vectors a £ Z+ and b £ Zip , 
and an integer t with |a| < t < \b\ and Y^=i a ij < bi < t for every i £ [l,m]. 
Consider the 77-partite access structure P defined by 

minP = < x £ P : \x\=t, and a < x, and ^ ~^ x ij < bi for every i £ [l,m] 
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That is, the compartments are distributed into m groups and we have an upper 
bound for the number of participants in every group of compartments, while we 
have a lower bound for every compartment. 

We prove next that these access structures admit a vector space secret sharing 
scheme over every large enough finite field. Consider the vector c £ Zfp defined 
by Cj = bi — 1 a ij and the integer s = t — \a\ £ Z + . Let Z\ be the integer 

modular polymatroid with ground set J defined by the vector a. Let Z$ the 
integer polymatroid with ground set J and family of bases 


< x £ Z+ : Xij = Ci for every i £ [1, 


,m]| , 


and let Z -2 be the s-truncation of Z :i . Finally, take Z = Z\ + Z- 2 . 


Lemma 4.1. The minimal qualified sets of T coincide with the bases of Z. 

Proof. Let B and B 2 be the families of bases of Z and Z 2 , respectively. The 
bases of Z are precisely the vectors of the form x = a + y with y £ B 2 - Observe 
that a vector y £ Z^ is in B 2 if and only if \y\ = s and y^ < Ci for every 

i £ [1 ,m]. □ 

Lemma 4.2. The integer polymatroid Z is representable over every large enough 
finite field. 

Proof. We only have to prove that this holds for Z 2 . By Proposition IM. II for every 
large enough finite field K there exist subspaces (Vi)j e [i, m ] of a K- vector space 
V that form a representation of the s-truncation of the modular polymatroid 
with ground set [l,m] defined by the vector c. Then the subspaces (Wij)(i,j)eJ 
of V with Wij = Vi for every j € [1, n] form a representation of Z 2 . □ 


5 Ideal Partially Hierarchical Access Structures 

5.1 Ideal Hierarchical Access Structures 

For an access structure T on a set P , we say that a participant p £ P is hierar- 
chically superior in r to a participant q £ P, and we write q ^ p, if A IJ {p} £ T 
for every iCP\{j),f} with A U {q} £ T. Two participants are hierarchically 
equivalent if q A p and p < q. Observe that, if P is 77-partite, every pair of 
participants in the same part are hierarchically equivalent. 

An access structure is hierarchical if every pair of participants are hierarchi- 
cally comparable. In this situation, the hierarchical order A is a total order on 
II. Weighted threshold access structures, which were introduced by Shamir |2Dj 
in his seminal work, are hierarchical, but they are not ideal in general. The ideal 
weighted threshold access structures were characterized by Beimel, Tassa and 
Weinreb |2j. Other examples of hierarchical access structures are the the mul- 
tilevel access structures introduced by Simmons ^Qj, which were proved to be 
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ideal by Brickell jSJ, and the hierarchical threshold access structures presented 
by Tassa EQ. These were the only known families of ideal hierarchical access 
structures before the connection between integer polymatroids and ideal mul- 
tipartite secret sharing presented in [T2| made it possible to characterize the 
ideal hierarchical access structures m- Actually, all ideal hierarchical access 
structures are obtained from a special class of Boolean polymatroids [OQ and, 
because of that, they are vector space access structures over every large enough 
finite field. Moreover, they admit a very compact description, as we see in the 
following. 

Consider two sequences a = (cio, . . . , a m ) and b = (bo, . . . , b rn ) of integer 
numbers such that «o = = &o = 1 and a* < aj+i < bi < bi + 1 for every 

i G [0,m — 1]. For i G [0,m], take the subsets Bi = [a», 6»] of the set B = 
[l,6 m ] and consider the Boolean polymatroid Z' = Z'( a, b) with ground set 
J' = [0,m] defined from them. It is proved in P3J (full version) that a vector 
x G P C Zip is in the 77-partite access structure r = r 0 (Z' ,77) if and only if 
there exists io G [1 ,m\ such that J2jLi x j — h 0 , and x j — a i+ 1 — 1 for 

all * G [1, io - 1]. Therefore, the participants in 77, ; are hierarchically superior 
to the participants in Ilj if i < j, and hence every access structure of the 
form ro(Z'(a. b), 77) is hierarchical. Moreover, every ideal hierarchical access 
structure is of this form or it can be obtained from a structure of this form by 
removing some participants m 

In particular, if a* = 1 for all i G [0, m] and 1 = bo < bi <••■ < b rn , then 
x G r 0 (Z'(a, b), 77) if and only if x j > b io for some io G [1 ,m]. These 
are precisely the multilevel access structures introduced by Simmons jSDj, also 
called disjunctive hierarchical threshold access structures by other authors m 
They were proved to be ideal by Brickell 0 ■ On the other hand, the conjunc- 
tive hierarchical threshold access structures for which Tassa m constructs ideal 
secret sharing schemes are obtained by considering 1 = ao = oi < • • • < a rn 
and 1 = feo < 6i = - - - = b rn . In this case, x G 7o(2'(a, b), 77) if and only if 
Ei=i x j > a i+ 1 ^ 1 for all i G [l,m — 1] and E71i x j — b m . Observe that, in 
an access structure in the first family, there may be qualified subsets involving 
only participants in the lowest level. This is not the case in any access structure 
in the second family, because every qualified subset must contain participants in 
the highest level. 

By using the results in [Hj , we can find other ideal hierarchical access struc- 
tures with more flexible properties. If we take, for instance, a = (1, 1, 1, 5, 5) and 
b = (1,4,6,10,12), every qualified subset in the hierarchical access structure 
r 0 (Z'(a, b), 77) must contain participants in the first two levels, but some of 
them do not have any participant in the first level. 


5.2 Partial Hierarchies from Boolean Polymatroids 

Moreover, by considering other Boolean polymatroids, we can find other fam- 
ilies of ideal access structures satisfying some given partial hierarchy, that is, 
77-partite access structures in which the hierarchical relation G on 77 is a partial 
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order. We present next an example of such a family of ideal partially hierarchi- 
cal access structures. Consider a family of subsets (Bi) ie [ 0 ,m] of a finite set B 
satisfying: 

- (-Bo) = 1 and Bo C B±, while Bq n 5, = 0 if i £ [2, to], and 

- B\ fl Bi ^ 0 for every i £ [2, m] , and 

- BiD Bj = 0 for every i,j £ [2, m] with i ^ j. 

Let Z' be the Boolean polymatroid with ground set J' = [0, m] defined from this 
family of subsets, and consider the IT-partite access structure F = Fo(Z',II). 
Take t\ = |7?i| and U = |7?j \ Bi\, and s, = |7?j fl Bi\ for i £ [2,m]. Then a 
vector x £ P is in the access structure T if and only if there exist a vector it £ P 
such that 

- u < x, 

- 1 £ supp(it) = A, |it| = 

- for every Y C X, |u(Y)| < Eiev(^ + s *)> where si = 0. 

Clearly, q ^ p if p £ 77i and q £ 11, for some i £ [2, to]. On the other hand, 
any two participants in two different parts 77 j, II j with i. j £ [2, to] are not 
hierarchically related. 

5.3 Compartmented Access Structures with Hierarchical 
Compartments 

We can consider as well compartmented access structures with hierarchical com- 
partments. Take J = [l,m] x [l,n] and a partition II = (. Z7 of the set 
P of participants. Consider a finite set B and a family of subsets {B^^j^j 
such that B in C • • • C B a C B n for every i £ [1, to], and B n U • • • U B m i = B, 
and Bn n Bji = 0 if i ^ j. Let Z be the f-truncation of the Boolean poly- 
matroid defined by this family of subsets. If T is a U-partite access structure 
such that its minimal vectors coincide with the bases of Z , then T is a vector 
space access structure over every large enough finite field. We now describe F. 
For (i,j) £ J, take b l: j = B t] \ . Consider the vector b = (f>n, . . . , b rn \ ) £ Z™. Of 
course, \b\ = \B\. Suppose bu < t < |6| for every i £ [1,to]. It is not difficult to 
check that a vector x £ is a basis of Z, and hence a minimal vector of T, if 
and only if \x\ = t and Y^k-j x ik < % for every (i,j) £ J. Observe that T can 
be seen as a compartmented access structure with compartments 77, = Uy=i Hij 
for i £ [1, to], because every minimal qualified subset has exactly t participants, 
and at most bn of them in compartment It, . In addition, we have a hierarchy 
within every compartment. Actually, q ■< p if p £ 77^ and q £ 77,; ^ with j < k. 

6 Ideal Uniform Multipartite Access Structures 

Herranz and Saez 0 Section 3.2] introduced a family of ideal multipartite access 
structures that can be seen as a variant of the compartmented ones. Specifically, 
given integers 1 < k < t, consider the 77-partite access structure defined by 

r = {x £ P : \x\>t and | supp(a:)| > k}. 


(2) 
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It is proved in [El that r is a vector space access structure over every large 
enough finite field. Observe that the parts in the partition II = (77j)j e j are 
symmetrical in T. That is, the minimal vectors of r are invariant under any 
permutation on J. In the following, we characterize all ideal multipartite access 
structures with this property. We prove that all of them are vector space access 
structures over every large enough finite field. 

A H-partite access structure r is said to be uniform if the set min FCZj 
of its minimal vectors is symmetric, that is, if u-teWe min r, then crtt = 
€ min T for every permutation a on J. In this section, we characterize 
the uniform multipartite access structures that admit an ideal secret sharing 
scheme. Moreover, we prove that all such access structures are vector space 
access structures over every large enough finite field. This is done by using the 
uniform integer polymatroids described in Section 13.21 to construct a family of 
uniform multipartite access structures that admit a vector space secret sharing 
scheme over every large enough finite field. Then we prove in Theorem 16.21 that 
every ideal uniform multipartite access structure is a member of this family. 

Let Z be a uniform integer polymatroid with increment vector 8 on a ground 
set J with | J| = m. For i £ [0, to], consider hi = the values of the rank 

function of Z. Recall that the (k, TO)-threshold access structure on J consists of 
all subsets of J with at least k elements. 

Lemma 6.1. For an integer k £ [1, to], there exists an integer polymatroid Z’, 
on J' = JU{po} with h({po}) = 1 and Z = Z' k \J such that r po (Z k ) is the ( k , to)- 
threshold access structure on J if and only if 1 < k < m — 1 and 8k > 8k+ 1 , or 
k = to and 8 m > 0. 

Proof If there exists a polymatroid Z' with the required properties, then the first 
condition in Proposition 13 . 31 implies that hk-i < hk, while hk+i +hk-i < 2hk if 
1 < k < m— lby the second one. Therefore, our condition is necessary. We prove 
now sufficiency. Let A be the (k, to) - threshold access structure on J. Observe 
that hk > hk - i because 8k > 0, and hence h(X) < h(Y) if X C Y C J and 
X ^ A while Y £ A. Consider now two subsets X, Y £ A such that X C\Y A. 
This implies in particular that k < m. Take rq = X > k, r? = Y > k, and 
s = \X n Y| < k. Then h ri+r2 - s - h r2 = JjL]] 8 S r2+i < ^7=7 <Wi = h ri - h s . 
The inequality holds because k = s+io for some io £ [1, r\ — s], and hence 8 s+ i 0 > 
S r . 2+io . Therefore, h(X U7) + h(X fl Y) < h(X) + h(Y). By Proposition 13.31 this 
concludes the proof. □ 

Consider an integer k £ [l,m] in the conditions of Lemma El and the corre- 
sponding integer polymatroid Z' k . For a partition II = (/7,;) ie j of a set P of 
participants, consider the 77-partite access structure T = r po (Z' k , II). A vector 
v £ P is in r if and only if there exists a vector u with 0 < u < v such that 

— s = | supp(u)| > k and |u| = h s , and 

— |w(Y)| < hi for every i £ [l,m] and for every Y C J with |Y| = i. 

As a consequence of the next lemma, P = r po (Z' k ,II) is a vector space access 
structure over every large enough finite field. Moreover, every ideal uniform 
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multipartite access structure is of this form. Due to space limitations, we skip 
the proof of this result, which will be given in the full version of this paper. 

Theorem 6.2. Let II = (iTj) ie j with \ J\ = m be a partition of a set P of 
participants and let r be a uniform II -partite access structure. Then r is ideal 
if and only if there exist a uniform integer polymatroid Z on J and an integer k £ 
[l,m] in the conditions of Lemma 16'. 1\ such that T = r po (Z' k ,II). In particular, 
every ideal uniform multipartite access structure is a vector space access structure 
over every large enough finite field. 

The uniform multipartite access structures of the form @ were proved to be 
ideal in [OH- By using the previous characterization, we obtain a shorter proof 
for this fact. Consider the uniform integer polymatroid Z on J with increment 

vector S defined by <5i = t — k + 1, and Si = 1 if i £ [2 ,k], and Si = 0 if 

i £ [k + l,m\. Consider the integer polymatroid Z k whose existence is given by 
Lemma 16. 1 1 We claim that every 77-partite access structure P of the form Q 
is equal to r(Z' k , II). Indeed, a vector v £ P is in r(Z' k , 77) if and only if there 
exists a vector u with 0 < u < v such that 

— s = | supp(u)| > k and |u| = h s =t, and 

— w(Y) < hi for every i £ [l,m] and for every Y C J with Y = i. 

Since hi = t — k + i for every i £ [1, k], it is clear that every vector u £ P 

satisfying the first condition satisfies as well the second one. 

7 Efficiency of the Constructions of Ideal Multipartite 
Secret Sharing Schemes 

Several families of ideal multipartite access structures have been presented in the 
previous sections. We proved that every one of these structures admits a vector 
space secret sharing scheme over every large enough finite field. Our proofs are 
not constructive, but a general method to construct vector space secret sharing 
schemes for multipartite access structures that are associated to representable 
integer polymatroids was given in m Unfortunately, this method is not efficient, 
and no general efficient method is known. 

Some issues related to the efficiency of the constructions of ideal schemes for 
several particular families of multipartite access structures have been consid- 
ered |8l r )ll- r )l.')lH2l . We describe in the following a unified framework, derived 
from the general results in m , in which those open problems can be more 
precisely stated. 

Take J = [1 , to] and J 1 = [0,m], and let (77j) ie j be a partition of the set P 
of participants, where |77j| — m and |P| = n. Consider an integer polymatroid 
Z' = (J', h) with ki = h({i}) < rij for every i £ J and ko = h({0}) = 1, and 
take k = h(J'). Consider as well a finite field K and a K- r epr es ent at i on (V))i e j/ 
of Z'. In this situation, one has to find a matrix M = (Mq\Mi \ ■ ■ ■ \M m ) over K 
with the following properties: 
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1. Mi is a k X n-i matrix (no = 1) whose columns are vectors in V t . 

2. If u = (uq. .... . u rn ) is a basis of Z' , every k x k submatrix of M formed 
by Ui columns in every Mi is nonsingular. 

As a consequence of the results in H2, every such a matrix M defines a vector 
space secret sharing scheme for the multipartite access structure r 0 (Z',II). 

One of the unsolved questions is to determine the minimum size of the fields 
over which there exists a vector space secret sharing scheme for ro(Z',II). An 
upper bound can be derived from P2I Corollary 6.7]. Namely, such a matrix M 
exists if |K| > ( n ^ 1 ) . The best known lower bounds on IK are linear on the 
number of participants, and they can be derived from PJ Lemma 1.2] and other 
known results about arcs in projective spaces. Even though very large fields 
are required in general to find such a matrix by using the known methods, the 
number of bits to represent the elements in the base field is polynomial on the 
number of participants, and hence the computation of the shares and the the 
reconstruction of the secret value can be efficiently performed in such a vector 
space secret sharing scheme. 

Another open problem is the existence of efficient methods to construct a 
vector space secret sharing scheme for F = r po (Z',II), that is, the existence of 
polynomial-time algorithms to compute a matrix M with the properties above. 
One important drawback is that no efficient method is known to check whether 
a matrix M satisfying Property 1 satisfies as well Property 2. Moreover, this 
seems to be related to some problems about representability of matroids that 
have been proved to be co-NP-hard j2£) . 

We discuss in the following some general construction methods that can be 
derived from the techniques introduced in previous works {81511 5l25B.‘dll.S2j for 
particular families of multipartite access structures. 

The first method, which was used in m and other works, consists basically 
in constructing the matrix M column by column, checking at every step that 
all submatrices that must be nonsingular are so. Arbitrary vectors from the 
subspaces Vi can be selected at every step, but maybe a wiser procedure is to take 
vectors of some special form as, for instance, Vandermonde linear combinations 
of some basis of Vj. In any case, an exponential number of determinants have to 
be computed. 

A probabilistic algorithm was proposed in jdli;t2j for multilevel and compart- 
mented access structures. Namely, the vectors from the subspaces V are selected 
at random. This method applies as well to the general case and the success prob- 
ability is at least 1 — ("£ x ) V|K| _1 , where N = '}Z ieJ kii%i. By using this method, 
a matrix M that, with high probability, defines a secret sharing scheme for the 
given access structure can be obtained in polynomial time. Nevertheless, no ef- 
ficient methods to check the validity of the output matrix are known. 

Finally, we survey two different methods proposed by Brickell jSj and by 
Tassa eh for the hierarchical threshold access structures. Other related solu- 
tions appeared in {5115] for very particular cases of hierarchical threshold access 
structures. To better understand these methods, let us consider first the case 
of the threshold access structures. If the field |K| is very large, n+ 1 randomly 
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chosen vectors from K fc will define with high probability an ideal ( k , n)-threshold 
scheme. Nevertheless, no efficient algorithm to check the validity of the output 
is available. One can instead choose n + 1 vectors of the Vandermonde form, and 
in this case an ideal ( k , n)-threshold scheme is obtained, and of course we can 
check its validity in polynomial time. The solutions proposed in those works are 
based on the same idea. Namely, the vectors from the subspaces V have to be 
of some special form such that a matrix with the required properties is obtained 
and, in addition, the validity of the output can be efficiently checked. The so- 
lution proposed by Brickell jBJ is not efficient because it requires to compute a 
primitive element in an extension field whose extension degree increases with 
the number of participants. The one proposed by Tassa J3U Section 3.3], which 
works only for prime fields, provides a polynomial time algorithm to construct a 
vector space secret sharing scheme for every hierarchical threshold access struc- 
ture. The existence of similar efficient methods for other families of multipartite 
access structures is an open problem. 
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Abstract. Structure-preserving signatures are signatures whose public 
keys, messages, and signatures are all group elements in bilinear groups, 
and the verification is done by evaluating pairing product equations. It is 
known that any structure-preserving signature in the asymmetric bilinear 
group setting must include at least 3 group elements per signature and 
a matching construction exists. 

In this paper, we prove that optimally short structure preserving sig- 
natures cannot have a security proof by an algebraic reduction that 
reduces existential unforgeability against adaptive chosen message at- 
tacks to any non-interactive assumptions. Towards this end, we present a 
handy characterization of signature schemes that implies the 
separation. 

Keywords. Structure-Preserving Signatures, Algebraic Reduction, Meta- 
Reduction. 


1 Introduction 

1.1 Background 

When messages, signatures, and verification keys are elements of bilinear groups 
and the signature verification is done by evaluating pairing product equations, 
a signature scheme is called structure-preserving 0 . A structure-preserving sig- 
nature (SPS for short) blends well with the Groth-Sahai non-interactive proof 
system m and enables the construction of efficient cryptographic protocols 
such as round-optimal blind signatures m, traceable signatures Q , group en- 
cryption PI, proxy signatures 0 , and delegatable credential systems P- 
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The first SPS was presented in 123! as a feasibility result. A variation of 
the Camenisch-Lysyanskaya signature scheme |0j introduced in j22| is an SPS 
that is secure against random message attacks. Schemes in m3 and m are 
efficient when signing a single group element, but their signature size grows 
linearly in the size of the message. The scheme in m is called automorphic as 
the message space includes its own public key, which is a useful feature in many 
applications. j2| presented the first constant-size SPS whose signature consists of 
7 group elements. Yet shorter signatures have been pursued since then, however, 
0| proved that any secure SPS in asymmetric bilinear groups requires at least 3 
group elements. They presented a scheme matching the lower bound. 

The 3-element SPS in (3j is based on a strong interactive assumption. They 
also constructed a 4-element SPS with a restricted message space based on a non- 
interactive assumption. It has been left as an open problem to find an optimal 
SPS based on a non-interactive assumption. 


1.2 Black-Box Separations 

A fully black-box reduction from a primitive B to a cryptographic scheme A 
is an algorithm R such that for any instance / of B and for any adversary E 
against A, if E breaks A/ then R.^ E breaks /. A black-box separation is to 
show the absence of such an algorithm R. While there are number of non-black- 
box techniques, e.g., 0, black-box separations are meaningful as a convincing 
indication of the hardness of finding a reduction and as a guide to find a way to 
get around it. For variations and more discussion we refer to 031 

Oracle separation and meta-reduction are widely used techniques in showing a 
separation. Oracle separation is useful in showing the difficulty of constructing a 
cryptographic scheme from a minimal primitive such as a one-way function. Since 
black-box reductions relativise, showing the existence of an oracle that is useful 
in breaking A but useless in breaking B implies absence of black-box reductions 
from B to A. Since the seminal work by Impagliazzo and Rudich |2(i| , numerous 
results have been found using this approach. In most cases, primitives are simple 
cryptographic objects such as one-way functions, and the schemes in question 
are non-interactive ones such as collision-free hash function m or signature 
schemes |2()ll4ll3j . A recent work in (22) addresses more involved interactive 
schemes, blind signatures, by extending this line of techniques. 

In the Meta-reduction approach, initiated by pm, the proof of separation is 
done by constructing an algorithm, a so-called meta-reduction, that uses a re- 
duction as a black-box and solves a targeted problem, which can be the same as 
or different from the primitive the reduction is supposed to break. The intuition 
is that if a reduction is successful, the reduction breaks the underlying prim- 
itive by itself without help from the adversary. Proofs for separation exploits 
strong properties of the target schemes and underlying primitives. im exploits 
the blindness property in constructing a meta-reduction separating three-move 
blind signatures from non-interactive assumptions. In 132! a class of protocols, 
constant-round sequentially witness-hiding special-sound protocols for unique 
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witness relations, is separated from any standard assumptions. It includes some 
practically important protocols such as Schnorr identification schemes. 

Separation is often considered for limited classes of reductions. assumes a 
key-preserving property where the same RSA moduli are used in all oracle calls. 
Later in m an assumption so-called instance non-malleability is introduced 
to ease the limitation. A variation in prime-order groups appears in In 
{71111301811 91 , a class of algorithms called algebraic reductions is considered. In 
this class, yielding a new group element is limited so that it is possible to extract 
its representation for relevant bases. As claimed in [7j, the class of algebraic 
reductions are not overly restrictive. In particular, for prime order groups, all 
known efficient reductions fall into this class to the best of our knowledge. 


1.3 Our Contribution 

This paper shows that no algebraic reduction falls short in proving existential 
unforgeability against adaptive chosen message attacks of 3-element SPS in type- 
ill bilinear groups m based on any non-interactive assumption. This gives a 
partial justification for the existing 3-element schemes with interactive assump- 
tions since algebraic algorithms, while covering all known reduction algorithms in 
prime order groups, are not powerful enough to prove the security of a 3-element 
SPS. 

Our separation follows the meta-reduction paradigm. However, instead of 
showing a monolithic proof that constructs a meta-reduction from scratch, we 
present a handy characterization that separates a signature scheme from any 
non-interactive assumptions. It facilitates the proofs, in particular when the re- 
ductions are restricted to a class of algorithms where knowledge extraction is 
given for free. The intuition behind our characterization is that if the signature 
scheme in question forces a reduction algorithm to know some information, e.g., 
the signing-key itself, to simulate the signing oracle in the EUF-CMA game, and 
this information is so essential that the adversary wins the game by seeing it, 
then the reduction algorithm can break the assumption without help from the 
adversary. Given the characterization, we show that such crucial information ex- 
ists in any 3-element SPS when the reduction algorithm is algebraic. This gives 
us our separation from non-interactive assumptions. 


2 Preliminaries 

2.1 Digital Signature Scheme 

We consider signature schemes that works over a set of common parameters, say 
GK. Concretely, there is a generator of the common parameters and the key 
generation algorithm takes GK as input. Such an extended formulation is often 
used in practical cryptographic protocols where many users share the group for 
efficiency reasons. 


Separating Short Structure-Preserving Signatures 631 

Definition 1 (Digital Signature Scheme). A digital signature scheme Sig is 
a set of efficient algorithms (C. tC, S. V). C is the common-parameter generator 
that takes security parameter 1 A as input and outputs a common parameter GK. 
K, is the key generator that takes GK as input and outputs a signing-key SK and 
verification-key VK. The keys include GK and the public-key defines a message 
space Msp. S is the signature generation algorithm that computes a signature E 
for input message M by using signing key SK. V is the verification algorithm 
that takes VK, M, and E and outputs 1 or 0 that represent acceptance and 
rejection, respectively. 

A signature scheme must be correct, i.e., it is required that for any keys generated 
by K. and for any message in Msp, it holds that 1 = V(VK , M,S(SK , M)). It is 
assumed that there exists an efficiently computable function TstVk that takes A 
and VK as input and checks the validity of VK such that if 0 < — TstVk( 1 A , VK) 
then V(VK,*,*) always returns 0, and if 1 <— TstVk(l x , VK) then the message 
space Msp is well defined and it is efficiently and uniformly sampleable. A sig- 
nature E is called invalid (with respect to VK and M), if 1 ^ V(VK,M,E). 
Otherwise, it is called valid. 

We use the standard notion of existential unforgeability against adaptive cho- 
sen message attacks (euf-cma) |2J formally defined as follows. 

Definition 2 (euf-cma). A signature scheme Sig= (C,/C,<S, V) is existentially 
unforgeable against adaptive chosen message attacks if, for any A e PPT, the 
probability 


Pr 


GK^C( 1 A ), 

(VK,SK) <- 1C(GK), 
{M*,E*) «- A s ( sk '\VK) 


M* <£ Q A 1 


V(VK,M*,E*) 


is negligible in A. Here, S(SK,-) is a signing oracle that takes message M and 
returns signatures E <— S(SK,M). Q is the set of messages submitted to the 
signing oracle. 


2.2 Bilinear Groups 

In this paper, let Q be a generator of bilinear groups. It takes security parameter 
1 A as input and outputs A := (p, Gi, G 2 , Gr, e) where 

— p is a A-bit prime, 

— Gi,G 2 ,Gt are groups of prime order p with efficiently computable group 
operations, membership tests, and bilinear mapping e : Gi x G 2 — > G t, 

- VG G Gi \ {1}, He G 2 \ {1}, e(G, H) generates G T , and 

- VA e Gi, VB e G 2 , Vx,yeZ : e(A x , B y ) = e(A, B) x y. 

By generic operations, we mean the group operation, membership testing, and 
bilinear mapping over the groups in A. In Type-Ill groups CHI, no efficient 
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isomorphisms are provided for either directions between Gi and G2. Throughout 
this paper, group descriptions A always describe Type-III groups. 

By G*, we denote either Gi or G2 in A. For a vector of group elements 
A := (A \, . . . , Ak) £ G* and a vector of scalar values x := (ay, . . . , Xk) e Z*, we 
define the notation A x = f{ i=1 Af*. 


2.3 Structure Preserving Signatures 

For a description of bilinear groups A = (p, Gi , G2, Gt, e), an equation of the 
form 

nn e{A u B^^Z 

i j 

for constants ay £ Z p , Z £ Gt, and constants or variables Ai £ Gi, Bj £ G2 is 
called a pairing product equation (PPE for short). 

Definition 3 (Structure-Preserving Signatures). A signature scheme (C,JC, 
S, V) is called structure preserving with respect to bilinear group generator Q if 

— Common parameter GK consists of a group description A. Constants aij in 
Z p are also included in GK if any, 

— Verification-key VK includes A and group elements in Gi, G2, and G t, 

— Messages M consists of group elements in Gi and G2, 

— Signature E consists of group elements in Gi and G2, and 

— Verification V evaluates membership in Gi and G2 and PPEs. 

In a narrow sense, SPS might be limited to Z = 1 and VK excluding elements 
in Gt so that accompanying witness-indistinguishable Groth-Sahai proofs can 
have the zero-knowledge property. 

2.4 Algebraic Algorithms 

An algorithm is called algebraic with respect to a group if it takes a vector 
of elements X in the group and outputs a group element Y and there is a 
corresponding algorithm called an extractor that can output the representation 
of Y with respect to X. For instance, if the algebraic algorithm 1Z takes A, B £ 
G* as input and outputs C £ G*, then TVs extractor £ outputs (a, 6) such that 
C = A a B b . 

In the following, we give a formal definition of the minimal case where an 
algorithm takes group elements from one group as input and outputs only one 
group element. 

Definition 4 (Algebraic Algorithm). Let IZ be a probabilistic polynomial 
time algorithm that takes A, a string aux £ {0, 1}*, and group elements X £ G* 
for some k and G* in A as input and outputs a group element in G* and a string 
ext £ {0,1}*. TZ is called algebraic with respect to Q if there exists £ £ PPT 
getting the same input as TZ including the same random coins such that for 
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any A *— G(l x ) and all polynomial size X and aux, the following probability is 
negligible in A. 


p r I" (Y, ext) f— 72(A, X , aux ; r), 
| _(y, ext ) <— aux; r) 


Y ± X»] . 


Please note that unlike the case of the knowledge of exponent assumptions 
jl2!25l6j that assumes the presence of £ for any malicious 7 2, here we try to 
capture the limitation of current technology in building reduction algorithms. It 
is in fact easy to imagine an algorithm 72 that may not be algebraic as defined 
above; 72 takes a string from aux and directly translates it as a group element in 
G*. For such 72 there may not be an efficient extractor £. However, a reduction 
algorithm that chooses Y in this way will typically not be more useful than one 
that chooses Y with a known discrete logarithm with respect to X. Accordingly, 
we consider algorithms that compute on explicitly given group elements. We also 
stress that we are only interested in capturing the structure of Y with respect to 
the base X. It is possible that aux contains additional group elements and that 72 
returns group elements in ext for which we do not care to know a representation 
with respect to X. 

The above definition extends naturally to A that takes group elements from 
both groups and outputs multiple group elements at the same time. Furthermore, 
we note that algorithms that outputs no group elements can also be regarded 
as algebraic by taking the identity as default output for such algorithms so that 
extracting the representation is trivial. Trivial algorithms that output group 
elements taken from inputs intact are algebraic, too. 

The notion is also extended to oracle algorithms. Let (Y, ext)[X' , aux'] <— 
72° (A. X , aux) denote an execution of 72 accessing to oracle O where [X\ aux'] 
denotes all inputs to H given from (all invocations of) O. We say that oracle 
algorithm 72. is algebraic if there exists an algebraic algorithm 72, and the com- 
putation by 72° is equivalent to the following sequence of computation. First set 
Xq := X and auxo ■= aux. Run (Yd, exti\\uj\) <— 72(A, Xq, auxo) and repeat 


(X', aux'f) <— 0(A,Y i, exti), 

X i+1 ;= Xi||X', auxi+i := UiWauxl 
(%l, ext i+1 \\u; i+1 ) - 72 (A, X i+1 , aux i+1 ). 


for i = 1 until state Wj+i explicitly indicates termination and Y i+ \ includes Y. 
The extractor for 72 is to compute ( y, ext ) <— £°(A,X,aux) that fulfills Y = 
(. X") y for X" = X U X'. Such extractor can be constructed in straightforward 
manner by using the extractor for 72. 

By Cls a ib we denote the set of all algebraic algorithms with respect to Q. 


2.5 Non-interactive Hardness Assumptions 

Intuitively, an assumption states that there is no algorithm A that is better 
than any known (typically trivial) algorithm U, which, for example, selects its 
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output uniformly from a proper domain. In fact, our formulation is so general 
that it can capture too strong assumptions that never hold and too weak ones 
that always hold. But it does not matter for our purpose since we are to show 
the impossibility to reduce the security of a signature scheme to such (extreme) 
assumptions. 

Definition 5 (Non-interactive Hardness Assumptions). A non-interactive 
problem consists of a triple of algorithms P = (/, V, U) where I £ PPT is an 
instance generator, which takes 1 A and outputs a pair of an instance and a wit- 
ness, ( y,w ), and V is a verification algorithm that takes y,w and an answer 
x, and outputs 1 or 0 that represents acceptance or rejection, respectively. A 
non-interactive hardness assumption for problem P is to assume that, for any 
A £ PPT, the following advantage function Adv is negligible in A. 

Adv A (l x ) =Pr[(y,w) <- I(l x ),x <- A(y) : l = V{y,x,w)] 

— Pr[(j/j w) <— I(l x ),x <— U(y) : 1 = V(y,x,w)} (1) 

In search problems, U is typically set to an algorithm that returns constant _L 
(or a random answer x when the domain is uniformly sampleable). In decision 
problems, U typically returns 1 or 0 randomly so that the latter probability is 
1 / 2 . 

As we are concerned with structure preserving signatures, we consider hard 
problems that are defined over bilinear groups as follows. 

Definition 6 (Hard Problem over Q). A non-interactive problem P over 
bilinear group generator Q is a non-interactive problem such that 

— instance generator I runs A <— G(l x ), and output y includes A, and 

— there exists A that solves P with access to an oracle that solves the discrete 
logarithm problem for the groups in A. 

By NIP, we denote all non-interactive problems. Similarly, NIPg denotes NIP over 
Q. Throughout the paper, we simply say that algorithm A solves problem P if 
advantage Adv^(l A ) is not negligible. 


2.6 Black-Box Reduction and Meta-Reduction 

When algorithm 72 is given A as black-box, denoted by 7 Z A , we mean that 7 2 
and A are given the same security parameter and A is given access to arbitrary 
number of copies of A as oracles. Interaction between 72. and A can be done 
in interleaving manner. If A is a randomized algorithm, A has random coins 
inside and every copy uses the same randomness. The security parameter and 
the random coins are out of the control of 72. 

For problem P and signature scheme Sig, 72 is a fully black-box reduction if, 
for any (even inefficient) successful forger A for Sig, 1Z A is successful in solving 
P. By Sig =>n -P. we mean that R is a black-box reduction from Sig to P. A 
separation between Sig and P is to show that for Sig and P, there is no such 72 
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under hardness assumption for problem P' . (The problem P' can be the same 
as P to make the separation unconditional.) Note that 1Z depends on Sig and P. 
To claim that a class of hardness assumption falls short of proving the security 
of any construction of a signature scheme in a class by any black-box reduction, 
one need to show the absence of 1Z for every signature and assumption in the 
respective classes. 

In the meta-reduction paradigm, a proof typically begin with constructing 
a magic adversary A that is inefficient (or given access to powerful oracle) but 
successful in breaking Sig so that 7Z A works as expected. It then constructs meta- 
reduction M. that JA n solves P'. A major task of M. is to efficiently emulate 
A by rewinding 1Z and/or exploiting special properties of 7 Z and Sig. If M. is 
successful in the emulation, JA n can be seen as a polynomial-time algorithm 
that solves P' , which contradicts the assumed hardness of P'. 

3 Crucial Relation 

If any algorithm that simulates signatures must “know” the secret key, the un- 
forgeability of the signature scheme cannot be proven by black-box reduction to 
any non-interactive assumption. We extend this idea in such a way that it is not 
necessary to know the entire secret key but some crucial information is neces- 
sary to conduct the simulation and sufficient to forge a signature if leaked to 
the adversary. Informally, crucial information is a witness for a binary relation, 
&(9,zu), which we call crucial relation defined over signatures 9 and some sen- 
sitive information w. The relation requires three properties: every 9 has exactly 
one w (uniqueness), whenever an entity is successful in producing signatures, it 
is possible to extract w from the entity (extractability) , and vo is useful enough 
to yield a forgery (usefulness). A crucial relation is defined with respect to a 
class of algorithms, Cls C PPT to which the entity that generates 9 belongs. 

Let us first prepare some notations used in the formal definition. For a public 
key VK, a sequence of messages M = {Mi, . . . , M n } g Msp n and signatures 
U = { Ei , . . . , E n }, define V(9) for 9 := ( VK, M, E) by a function that returns 
nr=i v{VK, Mi ,Ei). 

Definition 7 (Crucial Relation). Let Sig= ( C,1C,S,V ) be a signature scheme. 
Let w g {0,1}* and 9 = ( VK,M,E ) g {0,1}*. A relation \L(9,zu) is a cru- 
cial relation for Sig with respect to a class of algorithms Cls if the following 
properties are provided. 

— (Uniqueness) For every 9 := ( VK,M,S ) such that 1 = V{9), there exists 
exactly one (polynomial size) zo fulfilling 1 = 'F{9,vj). 

— (Extractability) For any 1Z g Cls, there exists £ g PPT and n > 0 such 
that, for any VK g {0, 1}* such that 1 <— TstVk{ 1 A , VK), and any arbitrary 
string ip in 1 A ||{0,1}*, probability 

M<— Msp" 

9 := {VK, M, S) 



(2) 
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is negligible in A. The probability is taken over the choice of M and the 
randomness given to TZ. The same randomness is given to £. 

— (Usefulness) There exists an algorithm B £ PPT such that, for any 6 := 
( VK,M,£ ) and vj that satisfies T r (6,w) = 1, the following probability is 
not negligible in A. 

Pr[{M,£)*-B(p,w) : M(£M A 1 = V(VK,M,£)] 


Remarks: 

- The intuition of extractability is that whenever ip is helpful for TZ in comput- 
ing valid signatures, extractor £ should be successful in extracting vj from 
p. This must hold even for non-legitimate VK as long as it is functional with 
respect to the verification. 

- For TZ that is successful only with negligible probability, £ can be an empty 
algorithm. So we only need to care for successful TZ that yields valid sig- 
natures. In particular, conditioned that 1 = V(6) happens with noticeable 
probability, the conditional provability that 1 = F{6,vj) is overwhelming. 

- There may be many p that make T Z produce the same 17 from the same VK 
and M . Whichever p is given, £ must output the same vj. 

Let SIGCRcis denote signature schemes that has a crucial relation for a class of 
algorithms, Cls. We require Cls be a class of algorithms in PPT that satisfies 
the following trivial composition. For any A £ Cls, the following A! is also in 
Cls. A! takes inputs, say aux i and X\, . . . , X n , and runs A as ( auxi +i,Y i+1 )^ 
A(auxi, Xj) fori \....,n.A then picks some Y, whose index is in the list spec- 
ified in aux\. Obviously, algebraic algorithms are in such a class. The following 
proof is given for such Cls. 

Theorem 8. For any signature scheme Sig in SIGCRcis, for any non-interactive 
problem P in NIP, there is no TZ £ Cls such that Sig =$-r P if pseudo-random 
functions exit. 

Proof. Let O be a deterministic oracle that takes 0 as input and returns vj 
that 1 = 'P(6, zu) if it exists (otherwise return _L). Consider the following all- 
powerful adversary A attacking Sig with access to O. Let / be a pseudo-random 
function. Given VK as input, A selects a random key for / and checks if 1 <— 
TstVk(l x , VK) (if not, A halts). Then it chooses M randomly from Msp" for 
some constant n by using pseudo-randomness generated by f(VK). Let M <— 
Msp^ ( VK) denote these steps. A then send M to the signing oracle (simulated by 
TZ). After receiving n signatures, £, A aborts if £ contains an invalid signature. 
Otherwise, A calls O with input 6 = ( VK, M, £) and obtains zu. It then executes 
(M, £) *- B{ VK, M , £, vj) and outputs (M, 17). 

To verify that above A° is indeed a successful forger, consider that A° is 
given legitimate VK and signatures generated by S(SK, M). By correctness of 
Sig and the uniqueness property, vj indeed exist and is uniquely defined. So O 
returns vj. Then due to the usefulness property, the output from B satisfies the 
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predicates with probability not negligible in A. Thus A° is a successful forger 
against Sig. 

Suppose that there exists 1Z G Cls that Sig =>u P holds. Since 1Z is a 
fully black-box reduction it must be successful with the above A°. Namely, 
Adv^o (1 A ) as defined in Definition 0 is not negligible. 

Without loss of generality, we assume that A outputs n messages as AT at 
once. We also assume, without loss of generality, that when 7 Z outputs something 
for interaction it also outputs the internal state tp at that moment. Then 1Z is 
restarted taking p and some data from the interaction as input. 

We construct meta-reduction M. that JA n solves P. M emulates A° without 
any oracles. By a session, we mean the conversation between 7 Z and a copy of 
A initiated by 1Z with input VK, to A. Every session is labelled by an index. 
Given y *— /(1 A ), M sets po := y. Let BADSIG[i] be a flag that indicates the 
presence of an invalid signature in i-tli session. It is initialized to zero. M. runs 
1Z(tpo) and do as follows. 

— If 7 Z outputs (ifii, VKj ) to invoke j-tli copy of A, M checks TstVk( 1 A , VKj) 
and halt the session if it is not 1. Otherwise, M. selects AT.,<— Msp" (if the 
same VKj has been observed before, say in session k, M. uses the same 
Mfe instead), and resume 1Z as 1Z(ipi\\Mj). Here Msp. ; is the message space 
associated to VKj. 

— If 1Z outputs {pi. E k ,e) for existing session k, M. checks if 1 = V ( VK k . 
Mkj., Ij k,e)- If not, Ad sets BADSIG[&;] to 1. It then continues as follows. 

• If l < n, Ad continues by running 7 Z(ipi). 

• If l = n and BADSIG[fc] = 0, then Ad extracts vjj. for this session 
as follows. Let ipi be the internal state that 1Z outputs with VK k . 
Let M k ' be the last message 1Z is given before outputting S k ,n- Let 
‘Pi := ( Pi\\{^k+i, ■ ■ ■ i TVffe/}. Let 1Z' be an algorithm associated to 1Z 
that computes E k <— TZ'i'p'j, M k ). 7 Z' is a simple algorithm that parses 
(Pi into ipi\\{M k+ i, . . . , Affc/}, rrms 1Z(ipi, M k ), continue running 1Z giv- 
ing messages M k+ i , . ... AT k < as input, and collects signatures E k)l for 
i = 1 , ,n, and finally outputs E k . As 1Z is in Cls, so is 1Z' as assumed 
to Cls. Due to the extractability property, there exists polynomial-time 
£ that computes zu k for 9 k := ( VK k , M k , E k ). Thus, M. runs £[}p\, M k ) 
and obtains w k . As V(6 k ) = 1 holds, 1 = l I / (0 k . zu k ) holds except for neg- 
ligible probability. M. then invokes (M* k , E* k ) <— B(0 k . w k ) and runs 
TZ(ipi\\(M*k, E*k)) to continue. 

— If TZ outputs x, then A4 outputs x and halts. 

Let Advj^R.(l A ) be the advantage of the above M. in solving P. We show that 
the difference Adv^o (1 A ) — Advj^w. (1 A ) is negligible. We start from M n and 
modifies M slightly at a time. First replace truly random choice ATj<— Msp” with 
pseudo-random one AT <— Msp^( VK). Call this modified algorithm M! . The loss 
of the advantage by this modification is negligible due to the indistinguishability 
of /. We prove that by constructing a distinguisher V for / as follows. V runs 
(y, w) <— T(1 A ) and emulate A4 n (y) as it is except that whenever M. chooses 
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Mk, V sends VK ^ to the challenger and obtains a string and use it as random 
coins to generate Mk . It then returns Mk to 1Z. When M. terminates with 
x, V outputs V (y. x. w). Obviously, if the strings from the challenger are truly 
random, V emulates M. If, on the other hand, they are the output of /, D 
emulates M' . Since the advantage of V, say Adv£,(l A ), is assumed negligible, 
we have |Advj^(l A ) — Adv^/(1 A )| = Adv£,(l A ) < negl(A). 

Next replace extractor £ with oracle O. Call this modified algorithm M". We 
show that the loss of advantage by moving from M' to M" is negligible. Let 


Pr 


[AT <- Msp"l 

\ 


(3) 


denote the probability presented in Q. We replace Msp” and £ with Msp^ and 
O accordingly with trivial meaning. With this notation, the loss of advantage is 
upper bound by 


|Adv£,,(l A ) - Adv£,„(l A )| < |pr [^ f ^ Msp/ ] - Pr [^T^] | ■ (4) 


To evaluate the 


is neghgible due 


is neghgible due 


right hand of , first observe that 




Msp” 


fM<- Msp / 1 


to the indistinguishability of /. Also, 


Pr 


Msp^] 


r jM_u sp ;' 


l~ Pr [ 

to the extractability property. Finally observe that 

1-rJ 


I" M <— Msp" 


rM^MspH 
O 


(5) 

(6) 

(7) 


is zero because oracle O never causes 1 ^ iP(6, vj) if 1 = V(0) due to the unique- 
ness condition. Thus both probabilities in 0 are zero. Since 0 to 0 are all 
negligible, we conclude that 0) is negligible, too. 

Finally, observe that M." is identical to A°. Accordingly, |Adv 7 z^° ) 

Adv^ K (l A ) is negligible. Since 7Z and £ belongs to Cls C PPT and M only 
performs operations that can be done in polynomial-time, the total running time 
of M. and 1Z remains polynomial. Thus forms a polynomial-time algorithm 
that solves P, which contradicts to the assumed hardness of P. □ 


4 Crucial Relation in Size-3 SPS 

We consider the class of algebraic reductions that make oracle calls with keys 
formed over over the groups for which it is defined as algebraic. This constraint 
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plays a role when we construct an extractor for crucial relation based on the 
extractor associated with the algebraic reduction. Since the extractor works only 
for the groups the algebraic reduction is defined, so does the resulting extractor 
for crucial relation. Since the crucial relation involves the verification keys, we 
require all keys to be generated over the same groups the extractor works for. 
We call such algorithms group-preserving algebraic reductions. This notion has 
been used before in the literature, e.g., P23 and the constraint also has some 
similarity to key-preservation m and instance non-malleability 1221 - 

Theorem 9. There exists no group-preserving algebraic reduction that reduces 
the existential unforgeability of an SPS scheme to hardness of any problem in 
NIPp if signatures consist of three base group elements. 

We prove Theorem El actually by proving the following lemma. Then applying 
Theorem 0 completes the proof. 

Lemma 10. Any SPS scheme with signature size 3 has a crucial relation with 
respect to group-preserving algebraic algorithms. 

We begin by recalling the result from jjjj that any SPS scheme whose verification 
consists of one pairing product equation, or whose signature consists only of Gi 
or G 2 is not EUF-CMA. A signature scheme for signing multiple elements at once 
can always be used to sign a single element by setting the other group elements 
to 1. Without loss of generality, it therefore suffices to consider schemes whose 
message consists of a single group element and where the signature consists 
of 2 elements in one group and 1 element in the other. We will also consider, 
without loss of generality, the case where the verification consists of two pairing 
product equations. The result applies to schemes with more than two verification 
equations as well and the proofs can be adopted with superficial changes. 

Case of £ € Gf X G 2 . 

In any SPS whose signature consists of 3 group elements, (R, S,T ) g Gj X G 2 , 
the verification predicate includes at least two pairing product equations that 
can be reduced to the following general form. 


e(R, U\ T ai ) e(S, U 2 T“ 2 ) e(M, U 3 T“ 3 ) e(U 0 , T ai ) = Z x 
e{R, Vi T bl ) e(S , V 2 T b 2 ) e(M, P 3 T bs ) e(V 0 , T bi ) = Z 2 


(8) 

(9) 


The group elements except for M, R, S and T are taken from the public key, and 
the constants in Z p are taken from the common parameters. For a message M 
and a signature ( R,S,T ), let (p r , a r , ip s , a s , and t be 


R = G^M a \ S=G*°M ol ‘, and T=H t . 


(10) 


We consider ip r , a r , <p s , a s be variables that fulfill relations determined by (0), 
0) and (1TUI) . Let fi and f 2 be 


fi = a r m + ip r -r, and f 2 = a s m + tp s - s 


( 11 ) 
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where small-case letters, r, s, and m, represents the discrete-logs (to base G) 
of group elements denoted by corresponding large-case letters. (This convention 
is used throughout this paper.) By replacing R and S in (0 with those in (ITHI) 
and taking the discrete-logs with respect to base e(G, H), we can represent 0 
as /3m + fi = 0 where 


f 3 = a r (ui + ai £) + a s (U2 + 02 1) + (u 3 + 03*), and (12) 

fi = <Pr («1 + a\ t) + (U 2 + a, 2 1) + uo 04 1 - z 1 . (13) 

Similarly, 0 can be represented as /5 m + fe = 0 where 

f 5 = a r («i + 61 1) + a s (v 2 + b 2 t)+ (v 3 + b 3 t), and (14) 

fe = ip r («i + M) + (p s (v 2 + b 2 1) + v 0 b 4 1 - z 2 . (15) 


Consider a system of equations Q := {/1 = 0, . . . , fe = 0}. Focus on a non- 
redundant part, e.g., f i = f-2 = f 3 = /s = 0 which is represented as 

( : 

I — (u 3 + a 3 t) 

\ ~{v 3 + b 3 t) 

Let K t denote the leftmost matrix in (TUI . It has rank 4, and 

det(.Kt) = (ai&2 — 02^1) t 2 + {a\V2 + ui&2 — W261 — (I2V1) t + (u\V2 — U2vf). 

(17) 



m 0 10\ f a r\ 

0 m 0 1 j I a s j 

ui + ait U 2 + a,2t 0 0 I \ <p r I 
V\ + bit V2 + b 2 t 0 0 / \ I p s J 


If det (K t ) i=- 0, there exists unique (a r , a s , ip r , ip s ) that fulfills Q. Note that Q is 
defined with respect to the public key and M and T. 


Crucial Relation. Now we are ready to define a crucial relation as follows. 
For VK = (GK,Uo,Ui,U2,U 3 ,U 4 ,Vo,Vi,V 2 ,V 3 ,V^ and 6 = (VK, M, E), let 
w = (a r , a s , G Vr , G Va , H v ) . Relation returns 1 if there exists a valid 

(M, R, S, T ) in 6 such that 

- T=H\ 

- (a r ,a s ,ip r ,ip s ) determined by w fulfills Q w.r.t. VK and M, and 

- (M, R, S, T) is the first one in 6 that det(R t ) ^ 0. 

Relation also returns 1 if det(K t ) = 0 for all (M, R. S. T) in 9 and w = _L. 
Note that the second condition implies R = G Vr M ar , S = G Ve M as . Such w is 
extractable, unique, and useful as shown below. 

Uniqueness. The first {M,£) with det (if t ) ^ 0 is unique in 9 (assuming that 
signatures are stored in order) if it exists. Then, w is uniquely determined for 
such (M, S) from relation ( I Hit . When there is no (M, a) with det(if t ) 0 exists 
in 9 , vj is also uniquely defined to JL. Accordingly, for any 9, there is unique vj 
such that '!?(9,w) = 1. 
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Usefulness. Given vo that satisfies [ R(9, zu) = 1, a valid signature for ar- 
bitrary message can be created as follows. We first consider the case where 
w = (a r ,a s ,G' pr ,G Va ,H t ) ^ _L. Given w and arbitrary message M*, compute 
R* = (G' Pr )M*°‘ r , S * = (G^)M*“% T * = (H*). To see that U* = ( R*,S*,T *) 
is a valid signature for M*, observe that the first verification predicate 0) is 

e(R k , U\T ai ) e(S\ U 2 T a 2 ) e(M*, U 3 T as ) e(U 0 , U A T ai ) 

= e(G^M*“ r , H Ul+ai *) e(G v ‘M * aB , H U2+a2 ( ) 
e(M*, H U3+a 3 *) e(G u ° , H U4+a * *) 

= e(M*, H) h e(G, H) fi . 


It results in 1 since vo satisfies f 3 = / 4 = 0. The second predicate can be verified 
in the same way. Thus, by choosing fresh M*, (R*. S*, T*) is a successful forgery. 

We next consider the case of w = _L. It means that det(A^) = 0 holds for 
all M and (R, S, T) in 9. We then present a concrete attack as follows. First we 
consider the case where (TT7ll is not a zero polynomial. Since (1T7I) is quadratic 
in t, there are at most two Ts for which det(A't) = 0. Given 9 including more 
than three signatures, such T must appear more than once. Given two signa- 
tures (Mi, Ri, Si-T) and {M 2 , R 2 , S 2 ,T ) in 9, the forger computes random linear 
combination of the signatures as (M*, R*, S*) = (M-f 1 M^ 2 , A.f 1 ibf 2 , Sf 1 Sf 2 ) for 
randomly chosen f3\ and >3 2 that satisfies +(3 2 = 1. Then (R*, S*, T) is a valid 
signature for M* that is random and fresh with high probability. (The forger 
chooses messages that are not 1 to make sure Mi ^ 1 or M 2 ^ 1 to get M* 
uniform.) Next consider the case where (1T7II is a zero polynomial. Then we have 
a\b 2 = a 2 bi and uiv 2 = u 2 v\. Let <5i and S 2 be 

, h b 2 vx v 2 

o i := — = — , and o 2 := — = — , (18) 

a\ a 2 u\ u 2 

which are defined to zero if any of a\, a 2 , U\ or u 2 is zero. Then, from f 3 = f 5 = 0 

in (I I 21 and (I I 4H . we have 

f u 2 + a 2 t _ v 2 + b 2 t \ a + f u 3 + a 3 t _ v 3 + b 3 t \ = Q 
\ui + oit vi + bitj s \ui + ait vi+bitj 
The coefficient of a s in (1TT1 is zero since det(K t ) = 0. Thus we have 


u 3 + a 3 t _ v 3 + b 3 t _ ^ 

Ui + ait Vi+bit 
Since (1201) holds for any t, we have 

— = — = S 1 and — = — = S 2 
a 3 ai ’ u 3 ui 

Similarly, from / 4 = / 6 = 0 in (THU) and ( I I fill . we have 

vq bj _ bi_ _ ^ z 2 _ Vi ^ 

uq a 4 ai ’ zi u\ 


(20) 


(21) 


(22) 
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From (1TRI) . (ITU and (1221) . the second verification predicate (0) is 

1 = e(R ai S a2 M a3 U^,T) Sl ■ {e(R, U{) e(S, U 2 ) e(M, U 3 ) Z^ 1 } 52 , 

and the first verification predicate (0 is 

1 = e(R ai S a2 M° 3 t/g 4 , T) • {e(R, U{) e(S, U 2 ) e(M, U 3 ) Z f 1 }. 

If = S 2 , the verification predicates are in a linear relation. Thus they shrink 
into one predicate and the scheme is insecure. If 8\ ^ S 2 , the equations hold if 
and only if 

e(R ai S a2 M° 3 Uq 4, , T) = 1, and e(R, U{) e(S, U 2 ) e(M, U 3 ) Z f 1 = 1. 

The first equation implies either R ai S a2 M° 3 Uq 4, = 1 or T = 1 . For such a case, 
the following attack succeeds. Request three or more signatures on randomly cho- 
sen messages. Then find two signatures (Mi, Ri, Si, Ti) and ( M 2 , R 2 ,S 2 , T 2 ) such 
that Ti = T 2 = 1 or Tf ■ T 2 ^ 1. Then, linear combination of the two signatures 
yields a new valid signature. That is, let ( M*,R*,S *) = (Mf 1 M % 2 , Rf 1 R % 2 , 
Sf 1 ^ 2 ) f° r randomly chosen j3\ and (3 2 that satisfies /3i + 0 2 = 1. Then (M*, R*, 
S*,Ti) is a valid fresh signature. Keeping the condition on Ti and T 2 in mind, 
inspection is not hard and omitted. This concludes that a successful forgery is 
possible even for the case of to — T. 

Extractability. Observe that, for any algebraic algorithm that obtains M as 
input and computes group element R, there exists an extractor that outputs 
a r such that R = ( G‘ Pr )M olr where (G' pr ) part is computed by multi-base ex- 
ponentiation of group elements except for M. Similarly, the extractor outputs 
a s such that S = (G' Pa )M ols . Thus (ai,a 2 ,(pi,(p 2 ) determined uniquely from 
extracted (ai , a 2 , G Vl , G V2 , H l ) fulfills /i and f 2 . We then claim that /,; = 0 
for i = 3,..., 6 also hold except for negligible probability. Otherwise, the al- 
gorithm can be used to solve the discrete-logarithm problem between G and 
M. As we can manipulate all group elements given to the algorithm so that all 
their discrete-logarithms are known except for M, we can compute ip r (and ip s ) 
from the extracted exponents. Suppose that, without loss of generality, f 3 ^0 
happens for M / 1. Since f 3 m + = 0 for valid signature, /4 / 0 happens, 

too. Thus equation f 3 m + fn = 0 with non-zero f 3 and fi determine m. For 
the case of f 3 ^ 0, use equation f 3 m + fe = 0 with non-zero f 3 and fa instead. 
Accordingly, the extracted (ai, a 2 , G Vl , G V2 , H*) fulfills Q f with overwhelming 
probability assuming the hardness of the discrete- logarithm problem in Gi. 

Since we can extract (ai , a 2 , G V1 , G V2 , H v ) for all M and (R, S, T ) in 6 , a ques- 
tion is how to find the first one with det ( K t ) ^ 0 if it exists. It is done as follows. 
Suppose that 6 includes more than six valid signatures, say ( Ri,Si,Ti ) for M,- 
for i = 1, ... ,q. Given corresponding a. r i and a s i that satisfies /i = 0 and f 2 = 0 
from (1T2I) and (THUl . one can solve the equations to obtain (ui,u 2 ,u 3 ,vi,v 2 ,v 3 ) 
and every tj. Observe that, when (tT2l) and (ITU) are to be zero, we can represent 
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a r i and a s i by 


OL r i = {( u 3 4 a 3 ti)(v 2 + b 2 U) - (v 3 + 63 U)(u 2 + a 2 ti)}/det(K ti ) , and 
Oi S i = {(«3 + 63 ti)(ui 4 01 ti ) - ( u 3 4 a 3 ti)(v 1 + 61 U)} / det(K u ) . 

If det(-ffti) 7^ 0, pair (a r i, a») is unique to t*. By using the extracted (ui, u 2 ,u 3 , 
v\, v 2 , v 3 ) and f, in each signature, we can find the smallest index i* £ {1. .... <7} 
at which det ^ 0 with respect to £ M x 17, and assign w 

accordingly. If there is no such index, we set w = _L. The success probability 
of the extraction is overwhelming since the probability of the extractor for the 
algebraic algorithm is overwhelming conditioned that given signatures are valid. 

Case of 17 £ Gi x G^* 

As well as the previous case, any SPS with signature (R, S, T) £ Gi x G| for 
message M £ Gi verifies at least two pairing product equations that can be 
reduced to the following form. 

e(R,U 1 T ai S bl )e(M,U 2 T a2 S b2 )e(U 3 ,T a3 ) e(U 4 ,S bi ) = Zi (23) 
e(R, Vi T cl S dl ) e(M, V 2 T C2 S d2 ) e(V 3 ,T C3 ) e(I4, S di ) = Z 2 (24) 

Let R = G'~ pr M ° r . As before, we consider the relation in the exponent with 
respect to base e(G,H). Then (12 311 and (I24H are transformed as follows. 


{o; r (iti + ait + 61 s) + [u 2 + a 2 t + 62s)} m 

4 ip r (u 1 + a\t + bis) 4 u 3 a 3 t 4 U 464 S = z \ , and (25) 

{a r (vi + C\t + d\s) 4 (v 2 + C 2 t 4 tfes)} TTl 

4 <Pr(v 1 + ci t 4 dis) + v 3 c 3 t 4 v±diS = z 2 . (26) 

Consider a system of equations Q:={/i = 0,...,/s = 0} where /,; is defined as 
/1 = a r m + <p r ~ r, (27) 

fi — cx r (ui + ait + bis) 4 (u 2 4 a 2 t + b 2 s), (28) 

f 3 = pr(ui + ait + 61 s) + u 3 a 3 t + U 4 & 4 S - 24 (29) 

fi = a r (vi 4 cit 4 dis) 4 (t> 2 + c 2 t + d 2 s ) , and (30) 

/5 = <Pr(v 1 + cit + dis) 4 V 3 c 3 t 4 VidiS — z 2 . (31) 


Note that, with the above definition, (I25ll and (I2fi l> can be written as f 2 m + f 3 = 
0 and /4m +/5 = 0, respectively. Also note that if Ui 4 ait 4 bjs / 0 or 
Vi 4 Cit 4 dis f=- 0, then a r is uniquely determined by Q. 

Crucial Relation. For VK = (GK,G,H,U 0 ,Ui,U 2 ,U 3 ,V 0 ,Vi,V 2 ,V 3 ) and 
6 = {VK, M, 17), let w = ( a r , G Vr , H s , H*). Relation <F(i 9, zu) returns 1 if, 
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- vj — _L, and there exists (M, R, S, T ) in 9 for which u\ + ait + b%s = 0 and 
v\ + c\t + d\s = Q hold, or 

for the first (M, R, S , T) in 6, 

- R = G^M^, S = H s , and T = H x hold, and 

- ( a r ,<p r ) determined by vj fulfills Q with respect to VK, M, S , and T. 

In the following, we show that such vj is unique, useful and extractable. 

Uniqueness. If 6 includes a signature that causes ui + ait + b\ s = 0 and 
v\ + ci t + dis = 0, then vj must be _L to have &(&, w) = 1. If 9 does not, then 
each element in vj is uniquely determined from the first (M, R, S, T ) in 9. 

Usefulness. Given vj = (« r , G Vr , H s , H 1 ), pick random M* and compute R* = 
G Vr M* ar , and set S* = H s and T* = H f . Then (M*, R*, S, T ) is a valid forgery. 
If vj = _L and \P(9, vj) = 1, we show that the scheme is insecure. Suppose that 
(ui + ait + bis = 0 A vi T cit + d\s = 0) happens with respect to (M, R, S, T ) 
in 9 . From (J2BJ) and (EDI, we have U 2 + a^t + 62 s = 0 and + C 2 t + d 2 S = 0. It 
results in U 2 T a2 S b 2 = V 2 T C2 S' h = 1 in © and (EH). Thus, ( M*,R,S,T ) is a 
valid forgery. 

Extractability. Given (M, R, S, T), relation (ui + ait + bis = 0 A V\ + cit + 
d\s = 0) can be verified by testing (UiT ai S bl = 1 A V\ T cl S dl = 1). If it 
happens for any signature in 9, set vj = _L. Suppose, without loss of generality, 
u\ + ait + bis 7 ^ 0 holds. Let (M, R, S,T ) be the first signature in 9. For any 
algebraic algorithm that outputs (R, S, T ) for given M, there exists an extractor 
that outputs a r such that R = G Vr M° r for some (p r . As argued before, this a r 
fulfills Q except for negligible probability if the discrete-logarithm problem in 
Gi is hard. Thus outputting vj = (a r ,G Vr , S,T) completes the extraction. 

5 Conclusion and Open Problems 

Some ideas are suggested to get around our impossibility result. The first is to 
resort to interactive assumptions as done for constructing 3-element scheme in 
0 . The second would be to go beyond the group-preserving algebraic reduction. 
It however needs a number theoretic breakthrough to exploit an adversary that 
works for a group with different prime order. More exotic approach is to find a 
non-blackbox reduction that uses the adversary in non-blackbox manner. It also 
needs a breakthrough technique to exploit the code of the adversary to handle 
number-theoretic object like bilinear groups. 

While this paper focused on particular type of bilinear groups due to its 
importance, it is of interest to see whether similar result is obtained in other 
settings. Since known 4-element schemes based on non-interactive assumptions 
only sign messages in either of the base groups but not both, it would be worth 
pursuing a 4-element scheme that signs group elements from both groups at the 
same time, or to show the impossibility. 
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Abstract. We provide constructions of (m, l)-programmable hash func- 
tions (PHFs) for m > 2. Mimicking certain programmability properties 
of random oracles, PHFs can, e.g., be plugged into the generic construc- 
tions by Hofheinz and Kiltz (J. Cryptol. 2011) to yield digital signature 
schemes from the strong RSA and strong g-Diffie-Hellman assumptions. 
As another application of PHFs, we propose new and efficient construc- 
tions of digital signature schemes from weaker assumptions, i.e., from 
the (standard, non-strong) RSA and the (standard, non-strong) g-Diffie- 
Hellman assumptions. 

The resulting signature schemes offer interesting tradeoffs between 
efficiency /signature length and the size of the public-keys. For example, 
our g-Diffie-Hellman signatures can be as short as 200 bits; the signing 
algorithm of our Strong RSA signature scheme can be as efficient as the 
one in RSA full domain hash; compared to previous constructions, our 
RSA signatures are shorter (by a factor of roughly 2) and we obtain a 
considerable efficiency improvement (by an even larger factor). All our 
constructions are in the standard model, i.e., without random oracles. 

Keywords: digital signatures, RSA assumption, g-DH assumption, 
programmable hash functions. 


1 Introduction 

Digital Signatures are one of the most fundamental cryptographic primitives. 
They are used as a building block in numerous high-level cryptographic proto- 
cols. Practical signature schemes are known whose security is based on relatively 
mild intractability assumptions such as the RSA jS] or the (bilinear) Computa- 
tional Diffie-Hellman (CDH) assumption m- However, their security can only 
be proved in the random oracle model |Sj with all its limitations (e.g., jl7l2f)j h 
Standard Model Signatures. Signature schemes in the standard model (i.e., 
without using random oracles) are often considerably less efficient or based on 
much stronger assumptions. While tree-based signature schemes can be built 
from any one-way function j2B| , these constructions are far from practical. On the 
other hand, “Hash-and-sign” signatures are considerably more efficient, but the 
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most efficient of these schemes rely on specific “strong” number theoretic hard- 
ness assumptions which we call Strong c/- assumptions Q In Strong (/-assumptions, 
an adversary is provided with a polynomial number of random “solved instances” 
and has to compute a new solved instance of its choice. For example, the schemes 
in j28l29l28l86l88l5Uj are based on the Strong (or, Flexible) RSA assumption 
and the schemes in |1 lldKIhli] are based on the Strong g-Diffie-Hellman assump- 
tion. Both assumptions are considerably stronger than their “non-strong” coun- 
terparts (i.e., the g-Diffie-Hellman and the RSA assumptions, respectively), in 
which an adversary has to solve a given, fixed instance. (See the full version 
of this paper m for a discussion of the exact difference between strong and 
non-strong assumptions.) 

Programmable Hash Functions. In order to mimic certain “programma- 
bility properties” of random oracles, Hofheinz and Kiltz m introduced the 
combinatorial concept of programmable hash functions (PHF). (See Sectional 
for a formal definition.) Among a number of other applications, they used PHFs 
as a building block for efficient and short hash-and-sign signatures based on the 
Strong RSA and the Strong (/-Diffie-Hellman assumptions. Concretely, signa- 
tures in the Strong RSA based HK signature scheme Sig RSA [H] are of the form 
sig(M) = (H(M ) 1 2 * * * / 6 mod N, e), where N = pq is a public RSA modulus, H(-) is 
a (to, 1)-PHF, and e is a short prime (chosen at random during the signing pro- 
cess). A given HK signature (cr, e) is verified by checking if a e = H(M) mod N. 
The efficiency of the HK signature scheme is dominated by the time needed to 
generate the prime e, which (as shown in ebd depends on the parameter to 
of the PHF: the bigger to, the smaller e and consequently the more efficient is 
the signing process^ Over bilinear groups there exists a similar construction, 
Sigs- 9 _dh[H], whose security is based on the Strong g-DH assumption. The main 
disadvantages of HK signatures is that their security relies on Strong assump- 
tions, i.e., on the Strong RSA (Strong g-DH) and not on the standard RSA 
(g-DH) assumption. 

RSA signatures. As a step towards practical signatures from the (standard) 
RSA assumption, Hohenberger and Waters |4fll$9| proposed the first hash-and- 
sign signature scheme (HW signatures) whose security is based on the RSA 
assumption. HW signatures are computed as sig(M) = gfi/ p ( M ) mod N, where 
g G Z* v is a public element and P(M) = e\ - ... ■ e\ M \ is the product of \M\ 
distinct primes. Here each prime e,; is uniquely determined by the i-bit prefix 
M | , of the message M, and for each generation of e* a number of primality 
tests have to be executed which is the dominant running time of signing (and 
verifying). The above signature scheme is only weakly secure under the RSA 

1 There are exceptions, e.g., by Waters [23 (CDH assumption in bilinear groups), Ho- 
henberger and Waters QQ, and the lattice-based schemes 1 1 811 4| (SIS assumption). 
However, these are not among the most efficient “Hash-and-sign” -type schemes. 

2 We stress that the PHF parameter m does not directly correspond to the number 

of signatures that can be created during the security reduction. Rather, m indicates 

how many collisions of (honestly generated) e-values we can handle in the reduction. 

Hence, the larger m is, the smaller e can be chosen. 
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assumption, and a chameleon hash has to be used to make it fully secure, thereby 
doubling the signature size to two elements from Z,y and adding ss 2kbit to the 
public-key size m ■ The main disadvantage of HW signatures is, however, the 
generation and testing of the \M\ primes e %, . . . , e\ M \ necessary to compute the 
hash function P(M). Concretely, for k = 80 bits security, HW signatures need 
to generate \M\ = 160 random primes for the signing process. 


1.1 Summary of Our Contributions 

As the main technical contribution we propose several new constructions of 
(m, l)-PHFs for any m > 1. In particular, we solve the open problem posed 
in E02 of constructing deterministic (m, l)-PHFs for m > 2. Even though our 
main applications are digital signatures we remark that PHFs are a very general 
framework for designing and analyzing cryptographic protocols in the Diffie- 
Hellman and RSA setting. For example, in m, it was shown that PHFs imply 
collision-resistant hash functions and lead to elegant and simple proofs of Wa- 
ters’ IBE and signature schemes m and its countless variants (e.g., USED- More 
importantly, a large body of cryptographic protocols with security in the stan- 
dard model are using — implicitly or explicitly — the partitioning trick that is 
formalized in PHFs. To mention only a few examples, this ranges from collision- 
resistant hashing |2QI4j , digital signature schemes |12l5fij (also in various flavors 
|47l51l8j h chosen-ciphertext secure encryption jl5l41ld5ld7H4j . identity-based 
encryption | m 1 01421 1 sin . attribute-based encryption [ 42 ] to symmetric authen- 
tication m- We expect that our new PHF constructions can also be applied to 
some of the mentioned applications. 

We also show how to use our new (m, l)-PHFs for generic constructions of 
short yet efficient hash-and-sign signatures whose security is based on weaker 
hardness assumptions: the g-DH and the RSA assumption. Whereas our g-DH 
schemes Sig 9 _ DH [H] are (to the best of our knowledge) the first hash-and-sign 
schemes from this assumption, our RSA schemes Sig RSA [H] and Sig RSA [H] are 
conceptually different from HW signatures and we obtain a considerable effi- 
ciency improvement. A large number of new signature schemes with different 
tradeoffs can be derived by combining the generic signature schemes with PRFs. 
An overview of the efficiency of some resulting schemes and a comparison with 
existing schemes from j2.'ll29ll 1 1.481401 is provided in Table Q Our new schemes 
offer different tradeoffs between signature size, efficiency, and public-key size. 
The bigger the parameter m in the (m, 1)-PHF, the larger the public-key size, 
the shorter the signatures. To obtain extremely short and/or efficient signatures, 
the size of the public key can get quite large. Concretely, with a public-key 
of size 26mbit we obtain 200 bit signatures from the (Strong) g-DH assump- 
tion. These are the shortest knwon standard-model digital signatures in bilinear 
groups. Remarkably, Sig SRSA [H c f s ] which instatiates the Strong RSA signatures 
from j2S| with our new (m, 1)-PHF H c f s for m > 6, results in a hash-and-sign 
signature scheme where the signing procedure is dominated by one single modu- 
lar exponentiation. This is the first RSA-based signature scheme whose signing 
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complexity is not dominated by generating random primes 0 Hence signing is 
essentially as efficient as RSA full-domain-hash |0j with the drawback of a huge 
public-key. 

While these short signatures are mostly of theoretical interest and contribute 
to the problem of determining concrete bounds on the size of standard-model 
signatures, we think that in certain applications even a large public-key is tol- 
erable. In particular, our public key sizes are still comparable to the ones of 
recently proposed lattice-based signatures jdfil.'iOUHfH] . 

We note furthermore, that it is possible to apply efficiency improvements 
from gjjj to our RSA-based schemes as well. This allows us to reduce the number 
of primality tests required for signing and verification sigificantly. More precisely, 
it is possible to transform each signature scheme requiring A primality tests into 
a scheme which requires only A/c primality tests, at the cost of loosing a factor 
of 2 -c in the security reduction. For example, Sig RSA [Hweak]^ with to = 11 and 
c = 40 is a RSA-based signature scheme which requires only a single primality 
test for signing and verification, at the cost of loosing a factor of 2 -40 in the 
security reduction. 


1.2 Details of Our Contributions 

Our main technical contribution to obtain shorter signatures are several new 
constructions of (m, l)-PHFs for m > 2 (cf. Table 0 m Section 0. Using cover- 
free sets, we construct a deterministic (to, 1)-PHF H c f s with public parameters 
of 0(km 2 ) group elements. This solves the problem from m of constructing 
deterministic (to, 1)-PHFs for to > 2. We remark that cover-free sets were al- 
ready used in |25lddl22j to construct identity-based encryption schemes. Fur- 
thermore, we propose a randomized (to, 1)-PHF H ran d with public parameters 
of 0 (to 2 ) group elements and small randomness space. Finally, we construct 
a weakly secure deterministic (to, 1)-PHF Hweak with public parameters of m 
group elements. The latter PHF already appeared implicitly in the context 
of identity/attribute-based encryption jl9!49j (generalizing 0). Weakly secure 
PHFs only yield weakly secure signature schemes that need to be “upgraded” 
to fully secure schemes using a chameleon hash function. 

RSA Signatures. Our new RSA signatures Sig RSA [H] are of the form 

sig(M) = (H(M) 1 / p W mod N, s), (1) 

where s is a short random bitstring, H(-) is a (to, 1)-PHF, and P(s) := e\ ■ . . . • e|„| is 
the product of | s \ primes e \ , . . . , e\ s | , where the ith prime is uniquely determined by 
the ith prefix % of the randomness s. (If the PHF H is probabilistic, sig additionally 
contains a small random bitstring r .) Our security proof is along the lines of |2B| , but 

3 Since the complexity of finding a random /j-bit prime with error 2~ k is 0(/cp 3 4 ), we 

expect that for /i « 60 (or, equivalently, using H c f s with m> 6) a full exponentiation 
modulo a 1024-bit integer become roughly as expensive as generating a random yu-bit 
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Table 1. Signature sizes of different schemes. Rows with grey background indicate 
new results from this paper. The chosen parameters provide unforgeability with k = 
80 bits of security after revealing maximally q = 2 30 signatures. RSA signatures are 
instantiated with a modulus of \N\ = 1024 bits, Bilinear signatures in asymmetric 
pairings using a BN curve P| with log p = 160 bits. (In this, we actually ignore the 
multiplicative reduction loss between a forger and, e.g., an RSA adversary.) We assume 
that elements in Gi can be represented by |Gi| = 160 bits, while an element G2 by 
IG2I = 320 bits. The description of the bilinear group/modulus N is not counted in the 
public key. We assume 2k = 160-bit messages in order to provide fc=80 bits of security 
(to sign longer messages, we can apply a collision-resistant hash function first). The 
efficiency column counts the dominant operations for signing. For Bilinear and RSA 
signatures this counts the number of modular exponentiations, for RSA signatures 
k x counts the number of random p-bit primes that need to be generated to evaluate 
function P(-). (For p » 60, 1 x P M takes more time than 1 x Exp.) *The RSA-based 
chameleon hash function from [3H| (which builds upon [2]) was used (adding 1 x |Zjv| 
to signature size). § Security reduction loses an additional factor of 2 40 . 


| Signature scheme | Assumption | Sig. Size | Efficiency | PK size~| 


| Waters 0S| 

CDH 

320 

2 x Exp 

26k 

I Boneh-Boyen [TT| 


Strong g-DH 

320 

1 x Exp 

640 

Sig S -„-DH[Hwat] PHI 


Strong g-DH 

230 

1 x Exp 

26k 

S 'Ss- 9 -DH[ H cfe] <m= 8) 

Strong g-DH 

200 

1 x Exp 

26m 

Sig ? - DH [HwatTlwat] 

(m=a) 

g-DH 

230 

1 x Exp 

48k 


(m=8) 

g-DH 

200 

1 x Exp 

26m 

Cramer-Shoup |23| 


Strong RSA 

2208 

1 X Pi60 

3k 

Gennaro et. al.* [751 


Strong RSA 

2048 

1 X Pi60 

3k 

SigsRSA [Hwat] PHI 


Strong RSA 

1104 

1 x P 80 

128k 

SigSRSA[Hrfs] 

(m=6) 

Strong RSA 

1068 

IS&WExpS 

94m 

SigSRSA[Hweak] 

(m=6) 

Strong RSA 

2092 

« 2 X Exp 

9k 

Hohenberger- Waters* 

|40| 

RSA 

2048 

160 x P1024 

3k 

Sig£sA[Hweak] 


RSA 

2048 

70 x P1024 

5k 

SigR SA [Hweak] 

(m=4) 

RSA 

2048 

50 x P1024 

7k 

SigRSA[Hwat] 

0=2) 

RSA 

1094 

70 x P1024 

128k 

SigRSA[Hi-and] 

0=4) 

RSA 

1214 

50 x P1024 

32k 

S 'gRSA[ H cft] 

0=4) 

RSA 

1074 

50 x P1024 

40m 

Sig£sA[Hwaak] § 

0=11) 

RSA 

2048 

1 X P1024 

14k 


using P enables a reduction to the RSA assumption (Theorem Q) in the standard 
model. The main conceptual novelty is that we apply P to the randomness s rather 
than the message M as in HW signatures. Because the values s are relatively small, 
our scheme is considerably more efficient than that of 001 ■ 

Concretely, the length of s is controlled by the PHF parameter m as |s| = 
log q + k/m, where q is an upper bound on the number of signatures the scheme 
supports. (See the full version m for a formal argument.) For k = 80 bits 
security and q = 2 30 (as recommended in 0j) we can make use of our new 
constructions of (m, l)-PHFs with m > 2. For example, with a (4, 1)-PHF, the 
bitstring s can be as small as 50 bits which leads to very small signatures. More 
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importantly, since the function P(s) only has to generate s distinct primes 
ei, . . . ,e\ s \ (compared to \M\ |s| primes in HW signatures), the signing and 

verification algorithms are considerably faster. The drawback of our new signa- 
ture scheme is that the system parameters of H grow with to. 

Bilinear Signatures. Our new g-DH signatures Sig, ; _ DH [H] are of the form 

sig(M) = (H(M) 1/dW ,s), (2) 

where again s is a short random bitstring, H is a (m, 1) programmable hash 
function, and d(-) is a special (secret) function mapping bitstrings to Z p . Since 
D(s) := g d<s ' 1 can be computed publicly, verification is done by using the proper- 
ties of the bilinear group. Security is proved under the g-DH assumption in the 
standard model. Similar to our RSA-based signatures the length of s is controlled 
by the PHF parameter to. For example, for to = 8 we obtain standard-model 
signatures of size |G| + |s| = 160 + 40 = 200 bits. We have to refer to the full 
version m for details. 

Full-Domain Hash Signatures. We remark that full-domain hash signa- 
ture schemes over a homomorphic domain (e.g., RSA-FDH jSj and BLS sig- 
natures H3) instantiated with (to, 1)-PHFs provide efficient to- time signature 
schemes without random oracles. This nicely complements the impossibility re- 
sults from m who show that without the homomorphic property this is not 
possible. We remark that an instantiation of RSA-FDH as a m-time signature 
scheme was independently observed in m 

Proof Techniques and Related Work. Our RSA-based signature scheme 
represents a combination of techniques from j^HI and pTH] , Namely, in the basic 
RSA-based signature scheme from EH!, a signature is of the form (H(M) 1 / S mod 
N, s) for a prime s. The use of a programmable hash function H enables very 
efficient schemes, whose security however cannot be reduced to the standard 
(non-strong) RSA problem, since a forged signature (H(M) 1/,fi , s*) corresponds 
to an RSA inversion with adversarially chosen exponent s* . On the other hand, 
the (basic, weakly secure) signature scheme from ^Qj is of the form ^ V P ( M ) mod 
N. The special structure of P (which maps a message M to the product of \M\ 
primes) makes it possible to prove security under the standard RSA assumption. 
However, since P is applied to messages (i.e., 160-bit strings), evaluation of P 
requires a large number of primality tests. We combine the best of both worlds 
with signatures of the form (H(M) 1//p ^ s ^ mod N, s) for short (e.g., 40-bit) random 
strings s. In contrast to the scheme of gQ|, this directly yields a fully secure 
signature scheme, so we do not need a chameleon hash function. 

In the security proof of our RSA signatures we distinguish between two types 
of forgers: type I forgers recycle a value from {si, . . . , s q } for the forgery, where 
the s^s are the random bitstrings used for the simulated signatures; type II 
forgers use a new value s* 0 {si, . . . , s g } for the forgery and therefore are more 
difficult to reduce to the RSA assumption. For the reduction of type II forgers to 
the RSA assumption we can use a clever “prefix-guessing” technique from |T3 
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to embed the prime e from the RSA challenge in the function P(-) such that 
the product P(s*) contains e Q Similar to the proof of HK signatures j3Bj, the 
reduction for Type I forgers makes use of the (to, 1) programmability of H(-). 

Strong g-DH signatures from j2H| can actually be viewed as our g-DH signa- 
tures from @ instantiated with the special function d(s) = a;+s (where x is part 
of the secret-key). In our scheme, the leverage to obtain security from g-DH is 
that the function D(s) := g d ^ acts as a (poly, 1)-PHF. That is, d(-) can be setup 
such that (with non-negligible probability) d(sj) = x + a(s, ; ) for o(sj) 7^ 0 but 
d(s*) = x, where s%,...,s q is the randomness used for the generated signatures 
and s* is the randomness used for the forgery. 


1.3 Open Problems 

A number of interesting open problems remain. We ask how to construct (de- 
terministic) (m, l)-PHFs for to > 1 with smaller parameters than the ones from 
Table El Since the constructions of cover free sets are known to be optimal up to 
a log factor, a new method will be required. Furthermore, obtaining truely prac- 
tical signatures from the RSA or factoring assumption is still an open problem. 
In particular, we ask for a construction of hash-and-sign (strong) RSA signatures 
that do not require the generation of primes at signing. 


2 Preliminaries 

For k € N, we write l fc for the string of k ones, and [k] for {1, . . . , k}. Moreover, 
|aj| denotes the length of a bitstring x, while | S\ denotes the size of a set S. 
Further, s <— S denotes the sampling a uniformly random element s of S. For 
an algorithm A, we write z <— A(x, y , . . .) to indicate that A is a (probabilistic) 
algorithm that outputs z on input (x,y , . . .). 


2.1 Digital Signatures 

A digital signature scheme Sig = (Gen, Sign, Vfy) consists of three algorithms. 
Key generation Gen generates a keypair ( pk , sk ) <— Gen(l fe ) for a secret signing 
key sk and a public verification key pk. The signing algorithm Sign inputs a 
message and the secret signing key, and returns a signature a -4- Sign(,sfc, m) 
of the message. The verification algorithm Vfy takes a verification key and a 
message with corresponding signature as input, and returns b <— Vfy(pfc, to, a) 
where b £ {accept, reject}. We require the usual correctness properties. 

4 More precisely, when simulating a type II forger, the values si, ... ,s q are known 
in advance to the simulator. Since s* £ {si, . . . , s 9 } there is some prefix .s* of s* 
that is different from all prefixes of si, . . . , s q . We can guess the smallest such prefix 
such that the simulator knows sj} from the forgery at the beginning. This knowledge 
can be used to embed e from the RSA challenge in the function P(-) such that the 
product P(s*) contains e. 
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Let us recall the existential un forgeability against chosen message attacks 
(EUF-CMA) security experiment [311 ■ played between a challenger and a forger 
T. 

1. The challenger runs Gen to generate a keypair ( pk,sk ). The forger receives 
pk as input. 

2. The forger may ask the challenger to sign a number of messages. To query 
the i- th signature, T submits a message to, to the challenger. The challenger 
returns a signature <j % under sk for this message. 

3. The forger outputs a message m* and signature cr*. 

T wins the game, if accept <— Vfyfpfc, that is, a* is a valid signature 

for m*, and m* A m, for all i. We say that T (t, q, e)-breaks the EUF-CMA 
security of Sig, if T runs in time t, makes at most q signing queries, and has 
success probability e. We say that Sig is EUF-CMA secure, or Sig is fully secure, 
if e is negligible for any probabilistic polynomial-time algorithm T . 

We also say, that a scheme is weakly secure, if it meets the above security defi- 
nition, but the adversary can not choose the messages to be signed adaptively. 
Instead it has to commit to a list mi , . . . , m q before seeing the public key. There 
exist efficient generic techniques to convert a weakly secure signature scheme 
into a fully secure one, e.g., using chameleon hashes pH] . 

2.2 Prime Numbers, Factoring, and the RSA Assumption 

For x £ N let n(x) denote the number of primes between 0 and x. The following 
lemma is a direct consequence of Chebyshev’s bounds on n(x) (see pH] . for 
instance). 

Lemma 1. Iq ^ x < n(x) < ^ x 

We say that a prime p is a safe prime, if p = 2p' + 1 and p' is also prime. Let p and 
q be two randomly chosen k/ 2-bit safe primes, and let N = pq. Let e £ Z^( n ) 
be a random integer, relatively prime to cf>(N). We say that an algorithm A 
(t, e)-breaks the RSA assumption, if A runs in time t and 

Pr [y 1 ^ 4- A(N,e,y)] > e. 

We assume that there exists no algorithm that (t, e)-breaks the RSA assumption 
with polynomial t and non-negligible e. 

We denote with QRy the group of quadratic residues modulo N. The following 
lemma, which is due to Shamir 153 . is useful for the security proof of the generic 
RS A-based signature scheme described in Section [U 

Lemma 2. There is an efficient algorithm that, on input y, z £ Zjy and integers 
e,/gZ such that gcd(e, /) = 1 and z e = yf mod n, computes x 6 Z,y satisfying 
x e = y mod N. 

2.3 Generalized Birthday Bound 

Although not explicitly stated, the following lemma is implicit in [301 • We will 
apply it several times in the security proofs for our generic signature schemes. 
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Lemma 3. Let A be a set with \A\ = a. Let X\, , X q beq independent random 
variables, taking uniformly random values from A. Then the probability that there 
exist m + 1 pairwise distinct indices %, . . . , i m + 1 such that X^ = ■ ■■ = Xi m+1 is 
upper bounded by q am . 

3 Programmable Hash Functions 

3.1 Definitions 

Let G = (Gfc) be a family of groups, indexed by security parameter k gN. We 
omit the subscript when the reference to the security parameter is clear, thus 
write G for G&. 

A group hash function H over G with input length l = l{k) consists of 
two efficient algorithms PHF.Gen and PHF.Eval. The probabilistic algorithm 
k <— PHF.Gen(l ,; ) generates a hash key k for security parameter k. Algorithm 
PHF.Eval is a deterministic algorithm, taking as input a hash function key k and 
X G {0, 1}*, and returning PHF.Eval(K, X) G G. 

Definition 1 . We say that a group hash function H = (PHF.Gen, PHF.Eval) is 
(to, n, 7 , <5)-programmable, if there is an efficient trapdoor generation algorithm 
PHF.TrapGen and an efficient trapdoor evaluation algorithm PHF.TrapEval with 
the following properties. 

1. The probabilistic algorithm (k,t) <— PHF.TrapGen(l fe , < 7 , h) takes as input 
group elements g, h G G, and produces a hash function key k together with 
trapdoor information r. 

2. For all generators g, h G G, the keys k,k', where k PHF.Gen(l fe ) and 
k' <— PHF.TrapGen(l fe , < 7 , h), are statistically -y-close. 

3. On input X G {0, 1}* and trapdoor information t, the deterministic trapdoor 
evaluation algorithm ( ax,bx ) <— PHF.TrapEval(r, X) produces ax,bx € Z 
so that for all X G {0, 1}*, 

PHF.Eval(K,W) = g ax h bx 

f. For all g,h G G, all k generated by k <— PHF.TrapGen(l fc , < 7 , h), and all 
Xi , . . . , X m G {0, 1}* and Z\, . . . ,Z n G { 0, l} 1 such that Xi ^ Zj for all i,j, 
we have 


Pr[ajfi = • • • = ax m = 0 and az 1 , . . . , az n ^ 0] > 6, 

where (a Xi ,b Xi ) = PHF.TrapEval(r, Xf), (a Zj ,b Zj ) = PHF.TrapEval (r,^), 
and the probability is taken over the trapdoor r produced along with n. 

We also say that H is (to, ^-programmable for short, if 7 is negligible and S is 
noticeable. If H is (l,q) -programmable for every polynomial q = q(k), then we 
say that H is ( 1 , poly) -programmable. 

In settings in which the group order is hidden, we will use a refinement of the 
PHF definition: 
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Definition 2. A group hash function H = (RPHF.Gen, RPHF.Eval) is evasively 
(m, n, 7, (^-programmable, if it is (m, n. 7, 6) -programmable as in Definition Q 
but with the strengthened requirement 

4 ’■ For all prime numbers e with 2 l < e < |G|, all g,h £ G, and all k gen- 
erated by k PHF.TrapGen(l fc , <7, h), and all Xi,. . . , X m £ {0, 1} Z and 
Z\, . . . ,Z n € {0, l} 1 such that Xi ^ Zj for all i,j, we have 

Pr[dXi = • • • = ax m = 0 and gcd(az ± , e) = • • • = gcd(az n , e) = 1] > 8. 

Here ax, and az d denote the output of the trapdoor evaluation algorithm 
(o-Xi ,bxi) = PHF.TrapEval(r, Xf) and (az^bz,) = PHF.TrapEvalfr, Zj). and 
the probability is taken over the trapdoor r produced along with k. 

Hofheinz and Kiltz m have also introduced the notion of randomized pro- 
grammable hash functions. A randomized group hash function H with input 
length l = l(k) and randomness space R = (7 Zk) consists of two efficient al- 
gorithms RPHF.Gen and RPHF.Eval. Algorithm RPHF.Gen is probabilistic, and 
generates a hash key k *— RPHF.Gen(l fc ) for security parameter k. The determin- 
istic algorithm RPHF.Eval takes randomness r £ Rk and X £ {0, 1} ; as input, 
and returns a group element RPHF.Eval(K, X) £ G. 

Definition 3. Let H = (RPHF.Gen, RPHF.Eval) be a randomized group hash 
function. We say that H is 6) -programmable, if there are efficient algo- 

rithms RPHF.TrapGen, RPHF.TrapEval, and RPHF.TrapRand such that: 

1. The probabilistic algorithm RPHF.TrapGen(l fe , <7, h) takes as input group el- 
ements g,h £ G, and produces a key k and trapdoor r. For all generators 
g,h£ G, the keys k 4- RPHF.Gen(l fc ) and n' RPHF.TrapGen(l fc , <7, h) are 
statistically 'y-close. 

2. The deterministic trapdoor evaluation algorithm takes as input X £ {0, l} 1 and 
r £ 1 Zk, and produces two functions (ax{-),bx{-)) <— RPHF.TrapEval(r, X, r) 
such that for all X £ {0, l} 1 , 

RPHF.Eval(K,X,r) = g ax ^h bx( - r \ 

3. On input of trapdoor t, X £ {0, 1}*, and index i £ [m], the RPHF.TrapRand 
algorithm produces r <— RPHF.TrapRand(r, X, i) with r £ Rk- For all g,h£ 
G, all k generated by ( k,t ) 4- PHF.TrapGen(l fc , g, h), all X x , . . . , X rn , and 
rxi = RPHF.TrapRand(r, A,, i). we require that the rx, are independent and 
uniformly distributed random variables overRk- 

4- For all g,h £ G and all k generated by ( k,t ) <— PHF.TrapGen(l fc , <7, h), all 
Xi,..., X m £ {0, 1}' and Z\,...,Z n £ {0, l} 1 such that Xi ^ Zj, and for 
all fi, . . . ,r n £ R-k and rx, •*— RPHF.TrapRand(r, Xi,i), we have 

Pr[oxi(rxi) *=•■• = a Xm (rx m ) = 0 and a Zl (f{), . . .,a Zn (f n ) ± 0] > 5, 

where the ax, and azj are the output of the trapdoor evaluation {ax , , bx,) = 
RPHF.TrapEval(r, Xj, rxj and {az^bzj) = PHF.TrapEval(r, Zj,fj), and the 
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Table 2. Overview of our constructions of (randomized/weak) programmable hash 
functions. Rows with grey background are new constructions from this paper. 



probability is taken over the trapdoor r produced along with k. Here Xi may 
depend on Xj and rxj for j < i, and the Z\, ... ,Z n may depend on all X* 
and Vi. 

Again we omit 7 and S, if 7 is negligible and S is noticeable. Randomized eva- 
sively programmable hash functions are defined as in Definition 

In the remainder of this Section we propose a number of new PHFs offering 
different trade-offs. Our results are summarized in Table El 

3.2 Multi-generator Programmable Hash Function 

The programmable hash function described in Definitional below was (implicitly) 
introduced in m- An explicit analysis can be found in m- 

Definition 4. Let G = (G*) be a group family, and l = l(k) be a polynomial. 
Let Hwat = (PHF.Gen, PHF.Eval) be defined as follows. 

- PHF.Gen(l fe ) returns n = (ho , . . . , hi), where hi 4- G k for i € [Z]. 

- On input X = (xi, € {0, 1}' and k = (ho , . . . , hi), PHF.Eval(K, X) 

returns ^ 

PHF.Eval(K,X) = hof[h*\ 

Theorem 1 (Theorem 3.6 of |36j 1 . For any fixed polynomial q = q(k) and 
any group with known order, Flwat is evasively (1, q, 0, 0(1/ (qy/l))) -programmable 
and (2, 1,0, 0(1 /l)) -programmable hash function. 

Although evasive programmability was not introduced in Hi it follows from 
their proof, since the values of az :j that occur there are bounded in the sense 
\az,j < 2 ; . We remark that Theorem Q also carries over to groups of unknown 
order. 


3.3 A New Deterministic Programmable Hash Function 

Let S, T be sets. We say that S does not cover T, if T % S. Let d, to , s be 
integers, and let F = (Fi) ie ^ be a family of s subsets of [d]. We say that F is 
m- cover free, if for any set I containing (up to) to indices I = {i\, ... , i m ] C [s], 
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it holds that Fj (J i£j F t for any j which is not contained in I. In other words, 
if |/| < to, then the union (Jie/ ft * s n °t covering Fj for all j £ [s] \ I. We say 
that F is w- uniform, if F/ = w for all i £ [s]. 

Lemma 4 (EZBSJ)- There is a deterministic polynomial-time algorithm that, 
on input of integers m,s = 2 l , returns d £ N and set family F = (Fj) ie [ s j such 
that F is m - cover free over [d] and w-uniform, where d < 16 m 2 l and w = d/ Am. 

In the following we will associate X £ {0,1}* to a subset Fj, i £ [s], by inter- 
preting X as an integer in the range [0, 2* — 1], and setting i = X + 1. We will 
write Fx to denote the subset associated to X. 

Definition 5. Let G = (G*,) he a group family, and l = l(k) and to = m(k) he 
polynomials. Let s = 2 l , d = 16 to 2 /, and w = d/Am. We define a hash function 
H c f s = (PHF.Gen, PHF.Eval) be as follows. 

- PHF.Gen(l fe ) returns k = (hi , . . . , ha), where hi 4- Gj, for 1 < i < d. 

- Let Fx C [d] be the subset associated to X £ [0,2* — 1]. On input X and 
k= (hi , . . . , hd), PHF.Eval(«;, X) returns 

PFIF.EvalOt,W) = Yl h i- 

ieF x 

Theorem 2. Let G = G k be a group of known order p. H c f s is an evasively 
(to, 1,7, 6) -programmable hash function with 7 = 0 and 6 = 1/(1 6 to 2 Z). 

Proof. Consider the following algorithms. 

- PFIF.TrapGen(l fc , g, h) samples d uniformly random integers b\,. . . , b ( i <— Z p 
and an index t <— [d\. Then it sets ht = gh bt , and hi = h bi for all i £ [1, d] 
with i ^ t. PHF.TrapGen returns (k, t) with r = (t, bi , . . . , bd) and k = 
(hi,...,h d ). 

- On input (r,X), PFIF.TrapEval sets bx = J2ieF x an d ax = 1 if t £ F x , 
and ax = 0 if t £ Fx, and returns (ax,bx)- 

PFIF.TrapGen outputs a vector of independent and uniformly distributed group 
elements, thus we have 7 = 0. Fix Xi , . . . ,X m , Z £ [0,2* — 1]. Since F is a 
to- cover free set family, there must be an index t! such that t' £ Uj=i , 
but t' £ Fz ■ Since t is picked uniformly random among 16 to 2 / possibilities, we 
have t = t' , and thus ax, = 0 and az = 1, with probability 6 = 1 / (16m 2 /). 
Finally, az = 1 implies gcd (az,e) = 1 for all primes e, thus H c f s is evasively 
programmable. 

Theorem |3 can be generalized to groups of hidden order. The proof proceeds 
exactly like the proof of Theorem |21 except that we have to approximate the 
group order. E.g., for the group of quadratic residues QR„, we can sample random 
exponents 6, 4- Z„2 . This way, we can sample nearly uniform (1 / -y/n-close) group 
elements hi = h bi , which yields the following theorem. 

Theorem 3. Let G = QR n be the group of quadratic residues modulo n = 
pq, where p and q are safe distinct primes. H c f s is a (m, 1, 7, S)- evasively pro- 
grammable hash function over G with 7 = d/y/n and 5 = 1/(16to 2 Z). 
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3.4 A Randomized Programmable Hash Function 

In jSS| a randomized (2, 1)-PHF was described which we now generalize to a 
randomzied (m, 1)-PRF, for any m > 1. 

Definition 6. Let G = (G*,) be a group family, and m = m(k ) be a polynomial. 
In the following, let [X] 2 i G Z denote a canonical interpretation of a field element 
X G F 2 i as an integer between 0 and 2 l — 1. We assume that X and [X] 2 i are 
efficiently computable from one another. Let H ranc ) = (PHF.Gen, PHF.Eval) be 
defined as follows. 

— RPHF.Gen(l fc ) returns a uniformly sampled k = (ho, (hjj)(ij) e [ 2 m ]x[m]) G 
G 2m2+1 . 

— RPHF.Eval(K, X; r) parses X, r G F 2 i, and computes and returns 

RPHF.EvaU(Xjr) = h 0 


Theorem 4. For any group G of known order, H ranc i is evasively (to, 1,0, 1/2)- 
programmable. For the group G = QR jV of quadratic residues modulo N = pq 
for safe distinct primes p and q, the function H ran< j is evasively (m, l,(2m 2 + 
l)/\/N, 1/2) -programmable. 

The proof is given in the full version of this paper m- 

3.5 A Weak Programmable Hash Function 

Essentially, a weak programmable hash function is a programmable hash function 
according to Definition [I] except that the trapdoor generation algorithm receives 
a list X \, . . . , X rn G {0, 1}* as additional input. On the one hand this allows us 
to construct significantly more efficient deterministic programmable hash func- 
tions, while on the other hand our generic signatures schemes are only weakly 
secure when instantiated with weak programmable hash functions. Fully secure 
signature schemes can be obtained by applying a generic conversion from weak to 
full security, for instance using chameleon hashes m which can be constructed 
based on standard assumptions like discrete logarithms ^3|, RSA |2l21l39j . or 
factoring Si- 

Definition 7. A group hash function is a weak (m,n, 7 , 6) -programmable hash 
function, if there is a (probabilistic) algorithm PHF.TrapGen and a (determinis- 
tic) algorithm PHF.TrapEval such that: 

1. ( k,t ) <— PFIF.TrapGen(l fc ,5', h, Xi, . . . ,X m ) takes as input group elements 
g,h € G and Xi, . . . ,X m e {0,1}*, and produces a hash function key n 
together with trapdoor information r. 

2.-4- Like in Definition 0 

As before, we may omit 7 and 6, if 7 is negligible and 6 is noticeable. Weak 
evasively programmable hash functions are defined as in Definition 03 
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Interestingly, there is a very simple way to construct a randomized pro- 
grammable hash function according to Definition|3|from any weak programmable 
hash function. Let us now describe our instantiation of a weak (evasively) pro- 
grammable hash function. This PHF already appeared implicitly in |1 Oi l !)j and 
PI for m = 1. 

Definition 8. Let G = (Gfc) be a group family, and l = l{k) and m = m{k) be 
polynomials. Let Hweak = (PHF. Gen, PHF.Eval) be defined as follows. 

- PHF.Gen(l fc ) returns n = {ho , . . . , h m ), where hi 4- Gfc for i £ {0, . . . , m}. 

— On input X £ { 0,1}* and k = {ho, ■ ■ ■ ,h m ), PHF.Eval(K, X) returns 


PHF.Eval(/t, X) = f[h ( - X ' ) . 

i= 0 

Here we interpret the l -bit strings Xi, i £ [to], as integers in the canonical 
way. 

Theorem 5. Let G = G*, be a group of known order p. Hweak is a weak evasively 
{m, 1, 7, 8) -programmable hash function with 7 = 0 and 8=1. 

Again we can generalize Theorem|5|to groups of hidden order. The proof proceeds 
exactly like the proof of Theorem 0 except that we have to approximate the 
group order. For the group of quadratic residues QR n , we can sample the random 
exponents from Z„2 for i £ [0,m], which yields the following theorem. 

Theorem 6. Let G = QRy be the group of quadratic residues modulo N = pq, 
where p and q are safe distinct primes. Hweak is a (to, 1, 7, 8) -programmable hash 
function over G with 7 = (to + 1)/ VN and 5 = 0. 

4 Signatures from the RSA Problem 

4.1 Construction 

Let l = l{k) and A = X{k) be polynomials. Let H = (PHF. Gen, PHF.Eval) be 
group hash functions over G = QRjv with input length l. We define the signature 
scheme Sig RSA [H] = (Gen, Sign, Vfy) as follows. 

Gen(l fc ): The key generation algorithm picks two large safe A / 2-bit primes p 
and q , and sets N = pq. Then it generates a group hash function key n <— 
PHF.Gen(l fc ) for the group QRjy- Finally it chooses a random key K for the 
pseudorandom function PRF : (0, 1}* — » {0, l} r and picks c <— {0, l} r , where 
r = [log N~\ . These values define a function F as 

F(*) = PRF*(/4r)0c, 

where n, called the resolving index of z, denotes the smallest positive integer 
such that PRF A :( / u| \z) ® c is an odd prime. Here ® denotes the bit-wise XOR 
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operation, and we interpret the r-bit string returned by F as an integer in 
the obvious way. (The definition of F is the same as in glj. It is possible 
to replace the PRF with an 2 & 2 - wise independent hash function PH-) The 
public key is pk = ( n , k. K, c), the secret key is sk = ( pk,p , q). 

In the following we will write H (M) shorthand for PHF.Eval(K, M), and define 
P : {0, 1} A — > N as P(s) = n*=i F(s|»)> where su is the i- th prefix of s, i.e., the 
bit string consisting of the first i bits of s. We also define S|o = 0, where 0 is the 
empty string, for technical reasons. 

Signf.sfc, M): On input of secret key sk and message M £ {0,1}*, the signing 
algorithm picks s «— {0, 1} A uniformly random and computes 

a = H(M) 1 / p W mod N, 

where the inverse of P(s) is computed modulo the order < j>(n) = (p — l)(q— 1) 
of the multiplicative group Z* N . The signature is (cr, s) £ Z N x {0, 1} A . 
Vfy(p/c, M, (cr, s)): On input of pk, message M, and signature (a, s), return 
accept if 

H (M) = a p ^ mod N. 

Otherwise return reject. 

Correctness. If cr = H(M) 1 /P(«), then we have a p ^ = H(M) p W/ p W = H(M). 

Theorem 7. Let PRF be a (e" ,t")-secure pseudo-random function and H be a 
(m, 1, 7, 5)-evasively programmable hash function. Suppose there exists a ( t , q, e)- 
forger T breaking the existential forgery under adaptive chosen message attacks 
°/Sig RSA [H]. Then there exists an adversary that (if , e') -breaks the RSA assump- 
tion with t’ ~t and e is bounded by 


We only give a brief proof outline here, and refer to the full version j33j for 
details. As customary in proofs for similar signature schemes (e.g., |2 .‘11281.1 6 j ) . 
we distinguish between Type I and Type II forgers. A Type I forger forges a 
signature of the form ( M*,cr*,s *) with s* = Sj for some i £ [q]. (That is, a 
Type I forger reuses some Sj from a signature query.) A Type II forger returns 
a signature with a fresh s* . 

It will be easiest to first describe how to treat a Type II forger T. Recall 
that we need to put up a simulation that is able to generate q signatures 
(Mi, Gi, Si)i e [ g ] for adversarially chosen messages M, ; . To do this, we choose all 
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Si in advance. We then prepare the PHF H using PHF.TrapGen, but relative to 
generators g and h for which we know P(sj)-th roots. (That is, we set g := g E 
and h = h E for E := P(sj).) This allows to generate signatures for T\ also, 

by the security of the PHF H, this change goes unnoticed by T . However, each 
time T outputs a new signature, it essentially outputs a fresh root g 1 / p ( s *'i of g, 
from which we can derive a P(s*)-th root of g. To construct an RSA adversary 
from this experiment, we have to embed an auxiliary given exponent e into the 
definition of P, such that g l / p ( s 1 allows to derive g 1 ^. This can be done along 
the lines of the proof of the Hohenberger- Waters scheme m- Concretely, for 
initially given values Sj and e, we can set up P such that (a) e does not divide 
any P(s*), but (b) for any other fixed s*, the probability that e divides P(s*) is 
significant. Note that in our scheme, the .s, are chosen by the signer, and thus our 
simulation can select them in advance. In contrast to that, the HW scheme uses 
the signed messages Mj as arguments to P, and thus their argument achieves 
only a weaker form of security in which the forger has to commit to all signature 
queries beforehand. 

Now the proof for Type I forgers proceeds similarly, but with the addi- 
tional complication that we have to prepare one or more signatures of the form 
H(Mj) 1/,p ( 3< ) for the same Sj = s* that T eventually uses in his forgery. We re- 
solve this complication by relying on the PHF properties of H. Namely, we first 
choose all s* and guess i (i.e., the index of the s t with s* = s*). We then prepare 
H with generators g, h such that we know all P(sj)tli roots of h (for all j), and 
all P(sj)th roots of g for all Sj ^ s, . Our hope is that whenever T asks for the 
signature of some Mj with Sj = Si, we have H(M, : ) e (h), so we can compute 
H(Mj) 1 / P( A'). At the same time, we hope that H(M*) 0 ( h ) has a nontrivial 
g- fact or, so we can build an RSA adversary as for Type II forgers. The PHF 
property of H guarantees a significant probability that this works out, provided 
that there are no more than to indices j with s 3 = Sj (i.e., provided that there 
are no (m + 1) -collisions). However, using a birthday bound, we can reasonably 
upper bound the probability of (to + l)-collisions. 

In the full version E3 we also give a variant of our scheme which is slightly 
more efficient but only offers weak security. A weakly secure signature scheme 
can be updated to a fully secure one by using a (randomized) Chameleon Hash 
Function. 

Efficiency. Given P(s) and computing o = H(M) 1 / P W can also be car- 

ried out by one single exponentiation. Since one single evaluation of P(-) has to 
perform (expected) A r many primality tests (for r-bit primes), the dominiant 
part of signing and verification is to compute P(s), for s G {0, 1} A . Theorem 0 
tells us that if H is a (to, 1)-PHF we can set A = log q + k/m, see the full 
version 123 for more details. 

Hohenberger and Waters m proposed several ways to improve the efficiency 
of their RSA-based signature scheme. These improvements apply to our RSA- 
based schemes as well. We refer to the full version m for details. 
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Abstract. In this paper we present a new practical key-recovery attack 
on the SFLASH signature scheme. SFLASH is a derivative of the older 
C* encryption and signature scheme that was broken in 1995 by Patarin. 

In SFLASH, the public key is truncated, and this simple countermeasure 
prevents Patarin’s attack. The scheme is well-known for having been 
considered secure and selected in 2004 by the NESSIE project of the 
European Union to be standardized. 

However, SFLASH was practically broken in 2007 by Dubois, Fouque, 

Stern and Shamir. Their attack breaks the original (and most relevant) 
parameters, but does not apply when more than half of the public key 
is truncated. It is therefore possible to choose parameters such that 
SFLASH is not broken by the existing attacks, although it is less 
efficient. 

We show a key-recovery attack that breaks the full range of parameters 
in practice, as soon as the information-theoretically required amount of 
information is available from the public-key. The attack uses new crypt- 
analytic tools, most notably pencils of matrices and quadratic forms. 

1 Introduction 

Multivariate cryptography is a brand that encompasses the (mostly public-key) 
cryptographic schemes whose security relies on the difficulty of solving systems 
of multivariate polynomial equations over a finite field. Even when restricted 
to quadratic polynomials, and to the smallest possible finite field, the problem 
is well-known to be NP-complete, not to mention very difficult in practice. In 
that restricted setting, the problem is often called Multivariate Quadratic (MQ 
for short). Because this mathematical problem is well-known and has a simple 
statement, it was very tempting to design cryptographic schemes relying on its 
hardness. This has the added benefit that no quantum algorithm is known to 
break MQ faster than in the classical world, unlike most number-theoretic hard 
problem that would fall to Shor’s algorithm [TT)j . 

Multivariate polynomials have been used in cryptography as early as in 1984, 
mostly with the purpose of designing RSA variants with faster decryption |11I12I5| . 

D.H. Lee and X. Wang (Eds.): ASIACRYPT 2011, LNCS 7073, pp. 
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At about the same time, Matsumoto and Imai designed the first public-key 
scheme explicitly based on the hardness of MQ. In fact, they had several pro- 
posal, but only a single one (their “Scheme A”) made it to the general crypto 
community, and was presented at Eurocrypt’88 m under the name C*. It is 
very similar to RSA, as its only non-linear component is a power function over a 
finite field. However, unlike RSA this power function is an easy-to-invert bijec- 
tion, therefore in C* it is composed with two secret invertible linear maps that 
destroy its algebraic structure. We therefore see C* as an attempt to obfuscate a 
power function in F g n by presenting it as a collection of n quadratic polynomials 
in n variables over F q . 

Several years later, Patarin found a devastating attack against C*, allowing 
to decrypt and to forge signatures in a few seconds EH- He showed that there 
always are bilinear relations between the ciphertext and the plaintext, which 
can be easily discovered by the adversary. This allows for an efficient attack by 
substituting the ciphertext into the bilinear relations, which results in a system 
of linear equations whose solution is the plaintext. 

The SFLASH signature scheme m is a derivative of the original C* that 
was proposed in 2001 by Courtois, Goubin and Patarin. It is famous for having 
been selected in 2003 by the NESSIE European project to be proposed to the 
standardization bodies. 

The idea behind SFLASH is to take the original C* but to throw away a part 
of the output. The resulting trapdoor one-way function can no longer be used for 
encryption, but it can still be used for signatures. This is achieved by removing 
a part of the public key, which is the obfuscated description of the power func- 
tion. The idea of removing some of the public polynomials has been originally 
suggested by Shamir [T£l> and was called the “Minus transform”. The original C* 
with the minus transform is thus often called C* _ . This countermeasure is very 
effective since it avoids the reconstruction of the bilinear relations and makes it 
much harder to compute Grobner basis of the public key. 

SFLASH has in turn been very badly broken in 2007 when Dubois, Fouque, 
Stern and Shamir found a practical forgery attack and further broken in 
2008 when Fouque, Macario-Rat and Stern found a practical key-recovery at- 
tack ©. Both attacks are very practical, defeating the actual SFLASH parame- 
ters in minutes. They are essentially polynomial in the security parameter(s), so 
that there is no hope that increasing them may make the scheme simultaneously 
secure and usable. 

However, both attacks only apply as long as the number of removed polyno- 
mials is less than half of the total number. There are therefore unbroken ranges 
of parameters, even though they are less practical than the original (defeated) 
proposal. For instance, let us consider the parameters q = 128 and n = 257. The 
original C* public key would be made of 257 polynomial in 257 variables over 
Fi 28 - If we throw away 75% of the public key, we obtain a C* _ public-key with 64 
multivariate quadratic polynomials in 257 variables, and the existing attacks do 
no apply. The signatures are 1799-bit long, and the public-key is 1.8Mbyte long. 
Forging a signature by exhaustive search requires 2 448 trials, and computing a 
Grobner basis should require even more arithmetic operations. 
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Our Contribution. We show that SFLASH/C* - can be broken regardless of 
the fraction of the public that was thrown away, thus improving on the previ- 
ous attacks. We present a practical key-only attack that recovers the secret-key 
and applies as soon as three polynomials from the public key are available. This 
happens to be the information-theoretic minimum quantity of data required to 
uniquely characterize the set of possible secret keys. The attack has been im- 
plemented and tested. It runs very efficiently, and breaks in practice all the 
meaningful ranges of parameters. For instance, the particular parameters men- 
tioned in the previous paragraph can be broken in about 10 hours using a single 
computer. 

SFLASH had already been thrown out of the league of possible alternatives to 
RSA of discrete-logarithm based schemes by the previous attacks. The contribu- 
tion of this work is not only to further break SFLASH, but also to introduce new 
cryptanalytic techniques. To achieve our results, we make use of mathematical 
tools that were not previously used in multivariate cryptanalysis, such as pencils 
of matrices or quadratic forms, adjugate matrices, simultaneous diagonalization 
of quadratic forms, kernels of quadratic forms, etc. We expect that some of these 
tools might apply further to other schemes, in particular those sharing some 
features with SFLASH, notably HFE. 

1.1 Organization of the Paper 

In section 2, we present some mathematical background. Then, in section 3, we 
describe the C* and SFLASH signature schemes. In section 4, we investigate 
in great detail the mathematical properties of C* and find exploitable relations 
between the secret and public keys. Finally, we expose our key-recovery attack 
in section E3 and give experimental results. 

2 Mathematical Background 

Finite Fields. Let K the finite field with q elements, where q is a power of 
two, and F an extension of K of degree n. Recall that F is isomorphic to IK", so 
that we often identify the two spaces. The trace on F over K is the K-linear map 
defined by Tr F/ / K (x) = x + x q + . . . + x q . The norm on F over K is defined 
by Njy K (a;) = x ■ x q ... ■ x 9 " \ Both Tr F / K and N F / K are functions from F to 
IK, and we simply denote them Tr and N since there is no confusion. The map 
x i — ^ x q is called the Frobenius map, and it is a field automorphism. 

Lemma 1. For any K.-linear mapping L on F over K, there exists an element 
X of ¥ such that, for all x in F, L(x) = Tr(Ax). Moreover, if Tr(Ax) = 0 for 
all x G F, then A = 0. 

Quadratic forms. A quadratic form over IK is a degree 2 homogeneous poly- 
nomial: 

Q(x x n )= a ii' x i x i 

1 <i<j<n 


with aij € K. 
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It is well-known that over fields of characteristic not two, a quadratic form Q is 
uniquely represented by its polar form, i.e., the symmetric bilinear form defined 
by ip(Q) : ( x , y) i— ► 1/2 • ( Q(x + y) — Q(x ) — Q(y)), with the nice property that 
Q(x) = ip(Q)(x, x). Over fields of characteristic two, this is however no longer 
possible, because the division by two is not defined. In this paper, we will slightly 
abuse the usual definition, and we define the polar form of a quadratic form to 
be the symmetric bilinear form: 

V>(Q) : (x, y) i ^ Q(x + y)~ Q(x) - Q{y) 

Given a basis b\,. . . ,b n of F, ip(Q) can be represented by a n x n symmetric 
matrix whose (i,j) coefficient is V’(Q) (bi,bj). By an abuse of notation, we will 
often identify iP(Q) with its matrix representation. 

The Kernel of a Quadratic Form. The kernel of a quadratic form Q, also 
called the radical of Q is the vector space of elements a G F such that for 
any if F, ip(Q)(x, a) = 0. It is easy to see that the kernel of a quadratic form 
is the kernel of the matrix ip(Q). What makes the kernel interesting is that in 
characteristic two, when n is odd, all quadratic forms have a non-trivial kernel. 

Theorem 1 ( 15 ). Let q be a power of two, and let Q be a quadratic form overK. 
Then the rank of tp{Q) is even. 


Linear Algebra. We denote the characteristic polynomial of M by y (M). A 
minor of M is simply the determinant of a submatrix of M. We will use in the 
following the adjugate matrix adj(M) of a matrix M. We recall that it is the 
transpose of the comatrix, which is the matrix of the cofactors. A cofactor of 
M, cofyj (M) is the determinant of the submatrix M- , where in this notation we 
refer to the matrix M without the ith row and the jth column. We lastly recall 
two well-known results connecting a matrix M and its adjugate. 

Theorem 2 (Cayley- Hamilton). 7/y(M) = X n +c n -iX n ~ 1 + - ■ - + aX+co 
is the characteristic polynomial of M, then: 

M n + Cn-\M n ~ x + •'•• + c\M + co • I n = 0 
M"- 1 + Cn_i M"- 2 + ■ ■ ■ + c 2 M + Cl • /„ = adj(-M) 

It follows that -M • adj(-M) = adj(-Af) ■ -M = det(-M) ■ I n 
Lemma 2. The rank o/adj(M) can be deduced from the rank of M: 

— (frank(M) = n, then rank(adj(M)) = n. 

— i/rank(M) = n— 1, rank(adj(M)) = 1. 

— In all other cases, rank(adj(M)) = 0. 
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3 The C* and SFLASH Signature Schemes 

The basic idea underlying both C* and SFLASH is to hide an easily invertible 
function <j> in the large finite field F using two secret invertible linear (or affine) 
maps S and T which mix together the n coordinates of <p over the small field IK, 
with PK = T o (j> o S. The signature of a message y is a vector x such that 
PK(r) = y. The legitimate signer easily computes x by successively inverting 
T, (j) and then S. 

Let 7r be the canonical isomorphism between IK" and F, and let (f> be defined 
by cj)(X ) = X 1+q . Enforcing that gcd(l + q 6 , q n — 1) = 1 makes (j) bijective. 
Because we may write <p(X) = X • X q , we find that (j) is in fact the product of 
two linear functions (recall that the Frobenius map and its iterates are linear). 
It follows that 7 to </;o 7 t~ l is a quadratic bijection of K", i.e., that if x E K", then 
7r o (j> o 7T _1 is a vector whose coordinates are quadratic forms in the coordinates 
of x. For the sake of lighter notations, we omit n in the sequel. 

The secret key of the scheme is composed by the two invertible nxn matrices 
S and T with coefficients in K. The exponent 9 and 7r are public parameters. The 
public-key of the scheme is formed by the representation over IK" of T o 0o S. 
More precisely, if T) denotes the i-th line of T, then the public key of C* is the 
vector of n quadratic forms over IK" : 

Pi{ Xl ,...,x n )=T 'r(r i -cf>(S(x 1 ,..., Xn ))) 1 <i<n 

The public key of SFLASH is composed of the first r quadratic forms V \, . . . , V r - 
Typical values of the parameter may be the ones defined for SFLASH V3: 
q = 128, n = 67, r = 56 and 9 = 33. 

Although the public key is a vector of polynomials in (K[xi, . . . , x n ]) n , it is 
more convenient to see them as functions from F to IK. We therefore write 

Vi{x) = Tr (T; • 5(x) 1+99 ) . 

Equivalent Secret Keys. Given a public-key, there are many possible cor- 
responding secret keys (there are “equivalent” secret keys fTH| I. A key-recovery 
attack is expected to retrieve one possible secret key amongst those generating 
the targeted public-key. The existence of many equivalent secret keys gives some 
freedom to the attacker: we may be guaranteed that there is an equivalent secret 
key satisfying some interesting property. 

Lemma 3. If(S, T) is an SFLASH secret-key that generates the public key PK, 
then for any integer k > 1 there is an equivalent secret key ( S',T ') in which 
T[ = ( Ti/T\) qk (seeing the vectors Ti as elements of¥). 

Proof. Because the function ssFua-ris linear over F, it can be represented 
by a matrix M a over K n . The key idea is that multiplications “commute” with 
the internal power function: 

'Pi(x) = Tr(^ r .[ax(S-x))^ 
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Now, we pick a such that a 1+q = T\ (this is always possible because the power 
function is bijective). Thus, a possible equivalent secret key is such that T' = 
Ti/Ti, and S' = M a ■ S. 

Next, it follows from the definition of the trace, and from the identity x q = x 
which holds over F that Tr (x gk ^) = Tr(x). This shows that 

Thus, if F denotes the matrix representing the Frobenius, i.e., the linear map 
x i — ► x q in F, then a possible equivalent secret key is such that T[ = (T,/Ti) q , 
and S' = F k -M a -S. □ 

4 Mathematical Properties of C*~ Public Keys 

The aim of this section is to exhibit relations involving the secret elements S 
and the Tfs on the one hand, and the public key on the other hand, in such a 
way that the secrets can be easily reconstructed given only a small number of 
public polynomials. 

For this purpose, we consider two public polynomials Vi and Vj, and we define 
the pencil of quadratic forms P = A Vi + pVj, with A, p in K. We also define the 
pencil of vectors T — ATj + pTj, and because the Trace is K-linear we have: 

P (X) = Tr (T • S(X) 1+q ° y (1) 

We are interested in the kernel of P, which is by definition the set of vectors a 
such that for any x, yf ( P ) ( a , x) = 0. In fact, it is simply the kernel of the matrix 
representation of the polar form ^(P). We first relate the kernel of P to the 
components of the secret key in section 14.11 and then with the components of 
the public- key in section IP1 This allows us, by “transitivity”, to find exploitable 
relations between the public key and the secret elements in section 14.31 

In the sequel, we adopt the typographic convention that any quantity that 
depends implicitly on A and p is written in bold. 

4.1 Relations between the Kernel and the Secret-Key 

It is not very surprising that the kernel of P admits a relatively simple expression 
in terms of the components of the secret key. 

Theorem 3. Given that n is odd, and gcd(6,n ) = 1, we have: 

(i i ) The kernel o/P is [x e K" | T • 5(s) 1+ « f e k}. 

(ii) The matrix pencil ip( P) has rank n — 1. 

(in) When (X,p) 7 ^ (0,0), there exists a unique vector a £ K n in the kernel of 
P such that P(a) = 1. 
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( iv ) There exists 5 £ N such that a = S 1 (T 5 ) . A possible value for S is 

6 = (| - x ) • J2 ( 2 ) 

i =0 »=( n + 1)/2 

Proof. It is known that the polar forms of C* polynomials have a special shape: 

^(P)(*,i/) = Tr (T • [S(x) ■ S(y) q ° + S(xf ■ S(y)]) 

After some manipulations, by exploiting the linearity of the Frobenius, of the 
Trace, and the fact that they commute, we find when x 0: 

V>(P)0z,y) =Tr^T- S(z) 1+ « 9 + ( T • S(x) 1+ * 9 ) 9 ] • ^ 

Now, inside the trace, the first term of the product depends only on x, and the 
second member takes all possible values in F when y ranges across F, because S 
and the Frobenius are bijective. Lemma |T| then tells us that if x ^ 0 belongs to 
the kernel of P, then 

t • s(w) l+qe + (t • s{m) l+ *Y = o 

It remains to show that the solutions of the equation X + X q = 0 in F are 
precisely the elements of K. It is easy to check that any a: £ IK is a solution, 
because the fields are of characteristic two, which makes the equation equivalent 
to X = X q . The other direction is not much more difficult: by induction we 
find that X = X q%f> for any i £ N. Since over F we always have x = x qU , then 
when iQ is congruent to 1 modulo n, the equation implies X + X q = 0, which 
shows that the solutions all lies in K. This establishes point (i). 

Let us prove point (ii). The polar form tf>( P) cannot be of rank n, because it 
is a skew-symmetric matrix and n is odd (this is well-known for matrices over 
fields, and is extended to the case of matrices multivariate polynomial rings in 
lemma 0 appendix EJ. Now, we show that the rank of is greater than n— 1. 
If we specialize (A, >u) to any value in IK 2 distinct from (0,0), then by point (i) 
ip(XPi + 1-iPj ) , seen as a matrix with entries in K, has a kernel of dimension 1. 
By the rank theorem (over K), its rank is then n — 1. This shows that there is 
a non-zero minor of dimension (n — 1). This minor (seen as a polynomial in A 
and /j) cannot be the zero polynomial, otherwise it could become non-zero for 
a particular choice of A and p in K, hence the rank of ip{ P) (seen as a matrix 
with entries in K[A, p\ has rank exactly n — 1. 

Point (in) follows immediately from (i) and from the fact S, T and the power 
function are bijective. To establish point (iv), we need to find a suitable value 
S such that S (a) = T 5 . By definition of a, we should have (T 5 ) 1+9 • T = 1, so 
that 8 satisfies the equation 1 + 5(1 + q e ) = 0 modulo (q n — 1). Checking that 
the given value of 8 is valid is technical and not very interesting, and we refer 
the reader to j8| for more details. □ 
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The fourth point of theorem E3 makes it possible to explicitly write down the 
expression of a, the kernel vector introduced in the proposition, as a function of 
A and p. Let us set d= (n— l)/2, and let us introduce Pn, Ps € F[A, p): 


n—1 



(3) 


The idea is that pn only depends on T, while ps depends “linearly” on S. It is 
fairly obvious that pn has total degree n while ps has total degree d. Next, we 
claim that pn in fact has coefficients in K. A possible way to see this is that 
because it coincides with the Norm, it takes values in K when A,/i 6 K, and 
therefore it could be interpolated as a polynomial of K[A, /x]. 

We have carefully chosen pm and ps so that the vector a defined in point (Hi) 
of proposition 01 is such that: 


a=(p N ) q/ 2 1 -Ps- 


This fact is an easy consequence of the fourth point of proposition 0 Note that 
because pn has values in K, then ps( A, p) spans the kernel of P, but unlike a, ps 
does not a priori satisfy the additional condition that P(ps) = 1. It follows, by 
definition of a, because P(Aa;) = A 2 P(a;) when A e K and because x~ l = x q ~ 2 
in IK, that: 



And we find that pn = P(ps). The two polynomials pm and ps play a crucial 
role in the sequel: we will show in section Q that knowing them is sufficient 
to reconstruct the secret key in polynomial time. In addition, we will also show 
that they can be reconstructed in polynomial time from the public- key. However, 
doing this requires some more mathematical machinery. 

4.2 Relations between the Kernel and the Public Key 

The kernel of P can be computed using only publicly available information, since 
it only depends on the public polynomials. If the values of A and p were fixed, 
this could be achieved with standard linear algebra. More sophisticated computer 
algebra systems have functions that compute a basis of the kernel in terms of A 
and p. We remove the need for such sophisticated operations by explicitly giving 
the form of the kernel. 

Theorem 4. Let P be a pencil of two public polynomials, B = {fq, . . . , b n } a 
basis ofK n . There exists a vector k = (ki,...,k„) of degree-d homogeneous 
bivariate polynomials in IK [A, p], such that: 
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i ) The adjugate matrix of the polar form of P can he expressed as the tensor 
product of k with itself: 


adj(<P( P)) = (k i -k J -) 1 < iJ <, 


ii) the kernel of ip( P) is spanned by ^ki • bi 

Proof. According to theorem 0 item (ii), the matrix pencil b>(P) is of rank n — 1, 
and lemma 0 states that in this case adj f'd’ (P)) has rank 1. We will now show 
that adj(r/>(P)) is the square of some other matrix, but we first require a technical 
lemma. 

Lemma 4. Let P be an arbitrary pencil of quadratic forms. There exists a family 
of bivariate polynomials po,-.->Pd £ K[A, /z] such that p* is homogeneous of 
degree i, and the characteristic polynomial of the polar form of P is: 



The proof of lemma 0 is postponed to appendix 0 It follows from lemma 0 
and theorem 0 that: 


2 



X>-^(p) d -< 

u= o 


We denote by R the natural square-root of adj(V>(P)) occurring on the right-hand 
side. It is a symmetric matrix pencil whose coefficients are bivariate polynomials 
of degree d in A and /i. Let us consider the i-tli diagonal term of adj(»/)(P)). We 
find: 



Consequently, let us define k, = ]C” =1 Rij. The previous equation tells us 
that adj(-i/'(P))i,i = k» 2 for all 1 < i < n. This establishes point (i) for the 
diagonal of adj(^(P)) only. 

Let us now consider the other terms with i j. Since adj(»/’(P)) is of rank 1, 
we know that all the minors of dimension 2 of adj('!/i(P)) obtained by keeping 
only the i-th row and the j - th column is null. This yields: 


adj(^(P ))i,i • adj(V>(P)) jli + (adj(V>(P))i,j) 2 = 0 


and consequently adj(»/>(P))i,j = k,kj (when the field is of characteristic two, the 
square root always exists and is unique because the Frobenius map is bijective) . 
This completes the proof of (i). 


676 C. Bouillaguet, P.-A. Fouque, and G. Macario-Rat 


Let us now focus on point (it). One of the k, ’s at least is non-zero, be- 
cause adj(^(P)) is not the null matrix. We therefore assume (without loss of 
generality) that ki is non-zero, and we consider the matrix relation given by 
theorem |2| 

^(P) • adj(V>(P)) = 0. 

Looking at the first column of the product, we conclude that 
1p{ P)- ^XJk,k,; • b^j =0, 

and because ki is non-zero, we conclude that ?/'(P) • QC2 =i fo • bf) =0. □ 

In light of theorem 0| it seems that we can derive from the public key a 
polynomial whose properties mimic those of ps ■ Keeping the notations of the 
theorem, we define: 


PS = pn = P ( Ps ) 

i=l 

We deduce from theorem 0] that ps has the same degree as ps, and that like ps, 
it spans the kernel of i/-'(P). We also need to find a polynomial pn that would 
be an analogous of pn and that could be derived from the public key. Note that 
it immediately follows from theorem 0] that ps spans the kernel of P. 

4.3 Relations between the Secret-Key and the Public-Key 

The last (but not least) step of our analysis is to show that the two polyno- 
mials Pn,Ps derived from the secret key in section 14.11 on the one hand, and 
the polynomials Pn,Ps derived from the public key in section 14.21 are in general 
equal up to a constant multiplicative factor. 

Theorem 5. If T 2 /T 1 is primitive over F (i.e., generates the multiplicative 
group of ¥), then there exists a constant ( ^ 0 in K such that ps = ( ■ Ps, 
and (accordingly) pn = C 2 ' Pn- 

Proof. The first step of the proof is to show that pm has degree n, just like Pn. 
The polynomials ki, . . . ,k n defined in theorem 0] have coefficients in K, and are 
homogeneous of degree d. We can therefore find a family co, . . . , c<i of coefficients 
in F such that: 

PS = k i ■ bi = ^2 °i- • (4) 

i= 1 i= 0 

It turns out that this family enjoys a nice property: over the subspace of K n 
that it spans, the pencil P is in fact a diagonal form (i.e., the two public poly- 
nomial it is made of are simultaneously diagonal). 

Lemma 5. ^(P)(c», Cj) = 0 for any 0 <i,j<d. 
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Lemma 6. For any family {rj}o<i<d of polynomials overK, we have 



The proofs are postponed to appendix [0 Applying lemma El to 0), we get: 



^(ATMci) + ^z(ci)) • X 2d ~ 2i p 2i 


p N = P (p S ) = P I °i ' X<1 V 


From there, it is easy to see that pn has degree 2d + 1 = n. 

Now that it has been established that pn and pm have the same degree, we 
will use irreducibility properties of pn to conclude the proof of theorem El We 
first claim that the univariate polynomial Pat (A, 1) € K[A] is irreducible over IK. 
After a few manipulations we find 


p N ( A, 1) = N(ATi + T 2 ) = N(Ti) • N(A + T 2 /Ti). 


Thus I 2 /T 1 , which is primitive over F, is a root of Pjv(A, 1), and this polynomial 
is therefore irreducible over K. 

Lemma 7. There exist (, ( in K[A, p] such that: 



Proof. First, the rank of the two-column matrix ( ps,Ps ) is one. If it was two, 
then this matrix could be extended toanxn matrix M of rank n. We then find 
that the rank of ' M would be at most n — 2, since its two first columns 
are null, which contradicts the fact established earlier that ^>(P) has rank n— 1. 

There exist polynomials {^} such that ps = 2"=i ^ ' &»• We now argue that 
there exists an index i 0 such that k, 0 / 0 and l %a / 0. The reasoning is by 
contradiction: assume that for all i we have k, ; ■ = 0. Since ps 7^ 0 and ps 7^ 0, 

there exist indices i , j such that k, 0 and ij yt 0. By hypothesis, kj = 0 and 
li = 0. But then, we find that kj • £j + k ? • £, = k, • £j 0. Consequently, a minor 
of dimension two of ( Ps,Ps ) is non-zero, which contradict the fact that it is of 
rank one. 

We can therefore assume without loss of generality that ki ^ 0 and l\ 0. 
The linear combination ki • ps + £\ ■ ps is null since by construction its first 
coordinate is zero, and the other coordinates are minors of dimension 2 of ( Ps,PS ) 
and are also null. We can now assert that the pair 



satisfies the requirements of the lemma. 
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Let (C,C) a pair of bivariate polynomials over K satisfying lemma Q By 
applying P, we get: C 2 3 • Pn = £ 2 • Pn ■ Any irreducible factored' £ must divide 
Pn since it does not divide £. But because pn is irreducible, £ is necessarily of 
degree 0. And £ is also degree 0 because pjy and pfj have the same degree. This 
concludes the proof of theorem 0 □ 

We conclude this section by giving one last important but somewhat technical 
result. The polynomial ps is “designed” to reveal the image of S on the subspace 
of K ra spanned by its d + 1 coefficients (seen as vectors of K"). It does actually 
matter whether these are linearly independent or not. 

Theorem 6. The coefficients of the polynomials ps form an independent family 
if and only if (T 2 /T 1) 9 is not a root of the polynomials x+x q for 1 < i < d. In 
particular, if n is a prime number this condition is satisfied since by assumption 
T\ and T 2 are independent. 

The proof is given in appendix O 

5 The Attack 

We are now ready to leverage our in-depth investigation of the properties of C*, 
by presenting a practical key-recovery attack that does not require any signature. 
The global attack strategy is to compute the polynomials pn and ps defined in 
section 14.21 Then, theorem 0 tells us that with non-negligible probability, these 
are equal to the polynomials Pn and ps defined in section El from which the 
secret-key can be efficiently recovered. 

Reconstructing the Polynomials pjv and ps- Given a pencil P = XPi+piPj 
of polynomials from the public key, we first show how the polynomials p.y and ps 
defined in section 14.21 can be determined. More precisely, we show how to build 
a function Kernel- Recovery(P) that returns the two polynomials pn and ps 
described in sectional Because pm = P(ps), we focus our attention on the non- 
obvious part consisting in recovering ps . This can be achieved in two different 
ways. A first possibility is to follow the proof of theorem 0 which results in the 
following procedure: 

1. Compute the characteristic polynomial £ of ^(P) and factor it into 


2. Compute the matrix R = JT =0 Pi ' , 0(P) d * and let kj = ^" =1 R-i.j- 

3. Finally let ps be equal to Yli= 1 ki • b t 
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Note that computing the characteristic polynomial can be achieved over any com- 
mutative ring using the division-free algorithm of Mahajan and Vinay j2|- Com- 
puting the factorization of the characteristic polynomial is a (classical) multivari- 
ate factorization problem. Both functionality are available in several computer 
algebra systems, including (but not limited to) MAGMA j2j and SAGE P3 ■ 
Alternatively, we may directly compute a basis of keri/>(P) (which is a module 
over K[A, //]) using the ad hoc function present in some computer algebra systems. 
This function is for instance available in MAGMA, and seems to rely on Grobner 
basis computations. It is apparently much faster than the previous option. 

From Kernel to Secret-Key. Let us call ( T',S ') the equivalent key we try 
to forge. Thanks to lemma 01 we know that we may without loss of generality 
assume that T{ = 1 and T! 2 = (T 2 /T 1 ) 9 ' , for any i > 0. This shows that if 
(Pn-,Ps) = Kernel-Recovery(A'Pi + pV’z), then we may safely choose T! 2 to 
be any root of Pat (A, 1) different from one. We then focus on equation 0: 



Given the values of T[ and T " 2 , we may explicitly evaluate the product on the 
right-hand side. Identifying both sides coefficient-wise then reveals the image 
of S' on the subspace of K n spanned by the d+ 1 coefficients of the product. 
Theorem 0 tells us that this subspace is of dimension d + 1 with non-negligible 
probability. 

To complete the key-recovery of the secret element, we use a third polynomial 
from the public-key. We compute (p' N .p' s ) = Kernel-Recovery(A'Pi + [VP 3 ). 
Only one of the roots of p' N yields a valid choice for T 3 , therefore we pick one 
at random, and we will try again with another one in case of failure in the 
subsequent steps. Knowledge of T[ and T 3 allows to discover the image of S' on 
another subspace spanned by d + 1 generators following the same procedure. 

At this point, we have learned the image of S' on n + 1 vectors, and we 
really hope that S' is completely revealed. If it is not the case, we may try again 
with Vi instead of V 3 . Once S' is known, finding the other Tj’s can be done by 
straightforward linear algebra. If no solution exists for any of them, then our 
guess for T 3 was wrong. 

5.1 Complexity 

We implemented the whole key-recovery using the MAGMA computer algebra 
system. The code of the full attack is 120 lines long, and is available on the 
web page of the first author. We first applied the attack to SFLASH v2 and 
SFLASH v3, that were already broken (universal forgery) by Dubois, Fouque, 
Stern and Shamir [3| , and further broken (key-recovery) by Fouque, Macario-Rat 
and Stern |2J . We then applied the attack to SFLASH instances that cannot be 
broken by the existing attack, because the number of polynomials in the public 
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Table 1 . Experimental results 


SFLASH 

version 

q 

n 

#public 

polynomials 

Signature 

Already 
broken ? 

Attack 

KeyGen 

v2 

128 

37 

26 (70%) 

259 bits 

EU 

7s 

0.1s 

v3 

128 

67 

56 (83%) 

469 bits 

EEI 

47s 

0.6s 


256 

131 

56 (42%) 

1048 bits 

No 

17min 

5s 


65536 

257 

64 (25%) 

4112 bits 

No 

« lOh 

141s 


2 

331 

80 (24%) 

331 bits 

No 

105min 

16s 


2 

521 

80 (24%) 

521 bits 

No 

« llh 

62s 


2 

1031 

128 (12%) 

1031 bits 

No 


680s 


key is less than n/2. We tried various combinations of field size and variable 
numbers, and found out that the attack works quite well in practice, as Table Q 
shows. There are thus no longer any practically unbroken set of parameters for 
SFLASH. 
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A Mathematical Results 

Lemma 8. Let P = A A + fiB be a matrix pencil over K, symmetric and with 
null diagonal, of any dimension n. Its determinant is a bivariate form of degree 
n. Ifn is odd, det(M) = 0, and if n is even, there exists a bivariate form k over 
K of degree n/2 such that det(M) = k 2 . 

Proof. We will prove this result using a recurrence in a 2 by 2 step. For n = 1 . 

( 0 k\ 

^ 0 J , where A; is a bivari- 
ate form of degree 1 and det(M) = k 2 . Now, let n > 3 and assume the property 
is true for n — 2. We will show that it is also true for n. We compute the determi- 
nant of M by developing according to the first column. Since the (1, l)-coefficient 
of M is null, we have det(M) = J^” =2 Mj, i det(Af- ), where M h i denote the co- 
efficient (i, 1) of M and det ( Af- ) the (1. i) minor. We can see that in all these 
minors, the first row has never been removed and always the first column. We can 
now do a development according to the first row and using the multi-linearity of 
the determinant, we get det (M) = ^"=2 Xq =2 -^i,i Afij det(M^), where M^4 
denote the matrix M by removing the rows 1 and i and the columns 1 and j. 
Since M is symmetric, we can add together the terms (i,j) and (j, i) for i j 
and these terms vanish. The determinant that we compute is equal to det (Af) = 
^"=2 ^i,i det(Afi- 4 ). Now we can use the recurrence assumption and if n is odd, 
det(M) = 0 and if n is even, det (Af) = = (Yli = 2 where 

the forms hi, for i — 2, . . . , n are of degree (n — 2)/2. Consequently, the degree 
of the form Afj.ifcj is n/2. □ 
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Lemma 9. Let Py ;i be an arbitrary pencil of quadratic forms. There exist a 
family of bivariate polynomials (pj}o<i<d in K[a:, y) such that Pi is of degree i, 
and the characteristic polynomial of the polar form of P is: 

X (^(P A J) = ][> 2 .X"- 2 \ 

i=0 


Proof. The result follows from lemma El The coefficient of X n ~ t in x (P (Pa./j,)) 
is the sum of all M minors obtained by choosing n — i diagonal terms and 
removing the (n — i) corresponding rows and columns. The minors obtained are 
of dimension i. □ 

B Simultaneous Diagonalization of Two Quadratic Forms 

Lemma 10. ip(P)(ci,Cj) = 0 for 0 < i, j < d. 

Proof. Let (A, g) and (A', g') two pairs of variables in K 2 such that A g r + A' g ^ 
0. Because ps( A,g) and ps(A',g') are the kernels of Aip (Pi ) + pip (P 2 ) and 
A 'ip (Pi) + p'lp (V 2 ) respectively, we find: 

(Aip (Pi) + pip (P 2 ))(ps(\ p),Ps(A' , g')) = 0 
(A' ip (Pi) + g'lp (P 2 ))(ps(A, g),Ps(A' , g!)) = 0 
By linear combination, we have 

(A g! + A'g)ip(Vi) ( p s (A,g),ps(A',g ')) = 0 
(A g' + A'g)ip (P 2 ) (p s ( A, g),p s (A', g')) = 0 

and since (A g! + A ' g) 0, 

ip (Pi) (Ps(\g),Ps(A',g')) = 0 
(P 2 ) ( Ps(A,g),p s (A',g ')) = 0. 

Finally, thanks to the linearity of ip (Pi) and ip (P2), we get: 

EE ^ c i) - A d “> l A ,d “V ,J = 0 

i= 0 j—0 
d d 

E E ^ ™ (<*» c i) • A d -VA /d “V = 0.n 

z=0 j= 0 

Lemma 11. For any family {ri}o<i<d of polynomials overK, we have: 

p (l>' c ') = 5> 2 ' P<C,) ' 
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Proof. We will prove it by induction on the number of non null polynomials in 
the family. We have P (n • ci) = ri 2 • -P(ci) since P is a (pencil of) quadratic 
form(s) whose coefficients are bivariate polynomials over K. Let us assume that 
the result holds for k — 1 polynomials. According to the definition of the polar 
form, we can write: 


P 



P(nci) + P 



V'(P) 



ri 2 ■ P( Cl ) + T / 2 • p ( c f ) + X) ri ' c i ' ^( P X c i> C J')- 

3=2 3=2 


And lemma E3I allows to conclude. 


C Showing Independence of the Coefficients of a 
Polynomial 

We concentrate on a simpler polynomial of the form flto ( x + t q * ) ■ 

Definition 1. Let d > 1 a positive integer. We call elementary symmetric poly- 
nomials of order d, the d + 1 polynomials with d variables Oi t d, 0 <i < d defined 
implicitly by: 

d d 

J[(X + Xi)=J2 °i,d(X 1 , ■ • . , Xd)X d -\ 


We also recall the following lemma useful to prove that a family of elements 
in F is independent 0 . 

Lemma 12. Let A = {ci!i}o<j<d a family of elements of F. The elements in A 
are independent if and only if the determinant of the matrix (af )o<i,j<d is non 
null. 

Let t an element of F. In a first step we try to find an equivalent condition to 
the fact that the coefficients of the polynomial n^=o ( x + i Q ' ) are independent. 
These coefficients can be expressed using the elementary symmetric polynomials. 
They are equal to {cr^dff, t q , . . . , t qd 

We describe some notations. We denote by Si t d and A,j : the mapping over F 
defined by: 


Si,d{x) = a itd {x,x q ,...,x q ), 

A d (x) = det((s itd (x) q 3 )o<i,j<d)- 
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Using the above lemma, and these notations, we can say that the coefficients 
of the polynomial YV:-d+i ( x + t q ) are independent if and only if A d (t) ^ 0. In 
the following, we try to compute some simple expression for A d . 

Lemma 13. For d and i integers such that 0 < i < d, the Frobenius mapping 
commute with the mappings Si td , i.e. for every igF, Si td (x q ) = Si td (x) q - 

Proof. The mappings Si >d ( x ) are by construction sums of elementary functions 
x i— > x q31+ - +qH , 0 < j\ < . . . < ji < d— 1. The Frobenius mapping is linear and 
commute with each of these monomials. □ 

Lemma 14. For d and i integers such that 1 < i < d, we have: 

Si,d(x ) + Si,d(x q ) = Si-i,d-l(x q )(x + x q% ). 

Proof. We have the following relations: 

nf=o(^+^ i )+nto 1 (^+^ i+1 ) = 

(* + *0 nii (* + xQt ) = ( x + xqd ) nto ( x + x9 ' +1 ) 

and 

d—l d 

Yl(X + x qi ) = Y / SiA x )X d ~ i 

i = 0 i=0 

l[(x + x qi+1 ) = '£s i Ax q )x d - i 
2=0 2=0 

l[(X + x qi ) = '£s i , d - 1 (x)X d - 1 - i . 
i= 0 i=Q 

We get the desired equality by considering the coefficient X d ~ l . □ 

Lemma 15. For d> 1, we have: 

A d (x) = A d _ 1 (x q )(x + x qd ) 1+q+ - +qd ~ 1 . 

Proof. The function A d is a determinant of dimension d+ 1. We can note that the 
first line is composed of d+1 times the value 1 since for 0 < j < d, s'q d = l ql =1. 
We do not change the value of the determinant by adding each column to its 
right neighbor. After this operation, the first line is composed of one time the 
value 1 and d times the value 0. After this addition and using lemma 1111 the 
term (i + 1, j + 1) is: 

Si+M^) 9 ' + s i+ m(z ) 93+1 = (siA x ) + SiAx q )) q3 

= s i4+1 (x q ) qi (x + x qd ) qi , 

which correspond to the term (i, j) of A d ~i(x q ) times {x + x qd ) q3 . By developing 
the determinant using its first row, we recover A d -i{x q ) times the factors of each 
column, that is j=o ( x + x qd ) ql . □ 
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Theorem 7. For d> 1, 


Proof. By induction. Indeed, the formula is straightforward for d = 1 and 

AM =d* (“)-* + *«. 


Assume that it is true for d — 1 , < 


Aj-iOe") = Y[(x q + x qi+1 ) qd 1 i+ - +gd 
i= 1 

A d _ i(s«) = J J(x + x qi y d ~ i+ - +gd ~ 1 . 


Using the formula of lemma El we get the result. 
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Abstract. A cryptographic assumption is the (unproven) mathematical 
statement that a certain computational problem (e.g. factoring integers) 
is computationally hard. The leakage-resilience limit of a cryptographic 
assumption, and hence of a computational search problem, is the maxi- 
mal number of bits of information that can be leaked (adaptively) about 
an instance, without making the problem easy to solve. This implies se- 
curity of the underlying scheme against arbitrary side channel attacks by 
a computationally unbounded adversary as long as the number of leaked 
bits of information is less than the leakage resilience limit. 

The hardness of a computational problem is typically characterized 
by the running time of the fastest (known) algorithm for solving it. We 
propose to consider, as another natural complexity-theoretic quantity, 
the success probability of the best polynomial-time algorithm (which 
can be exponentially small). We refer to its negative logarithm as the 
unpredictability entropy of the problem (which is defined up to an additive 
logarithmic term). 

A main result of the paper is that the leakage-resilience limit and the 
unpredictability entropy are equal. This demonstrates, for the first time, 
the practical relevance of studying polynomial-time algorithms even for 
problems believed to be hard, and even if the success probability is 
too small to be of practical interest. With this view, we look at the 
best probabilistic polynomial time algorithms for the learning with er- 
rors and lattice problems that have in recent years gained relevance in 
cryptography. 

We also introduce the concept of witness compression for computa- 
tional problems, namely the reduction of a problem to another problem 
for which the witnesses are shorter. The length of the smallest achiev- 
able witness for a problem also corresponds to the non-adaptive leakage- 
resilience limit, and it is also shown to be equal to the unpredictability 
entropy of the problem. The witness compression concept is also of inde- 
pendent theoretical interest. An example of an implication of our result 
is that 3-SAT for n variables can be witness compressed from n bits (the 
variable assignments) to 0.41n bits. 

D.H. Lee and X. Wang (Eds.): ASIACRYPT 2011, LNCS 7073, pp. 
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1 Introduction and Motivation 

1.1 Leakage Resilience of Cryptographic Assumptions 

There have been many recent works (e.g., [121.' Ill Oil .11 1 611 4121 1.1.11.171.1814014214.11 . 
and the references therein) aimed at designing cryptographic schemes that are 
secure against a large class of side-channel attacks. Some of these look at side 
channel attacks where the adversary can obtain some function of the secret key. 
We look at an even more general class of side-channel attacks where the adversary 
can obtain a bounded amount of arbitrary information. We model this kind of 
attack by allowing the adversary a bounded number of queries to an infinitely 
powerful oracle O that can be asked arbitrary binary (YES/NO) questions. This 
oracle was considered by Maurer eh to study the hardness of factoring N given 
queries to this oracle. 

Goldwasser et al m raised a more general question regarding leakage which 
is also the question that we are concerned with: Which of the cryptographic 
assumptions (rather than cryptographic schemes) are secure in the presence of 
leakage of some bits of information? 


1.2 Complexity Notions 

In this section, we introduce three notions, unpredictability entropy , oracle com- 
plexity, and witness compressibility, whose relationship we study in this paper. 

A well-studied and realistic approach in the study of the computational com- 
plexity of a computational problem is to look at probabilistic polynomial time 
(PPT) algorithms that solve the problem. We define the unpredictability entropy 
eh of a problem (essentially) as — log 2 p, where p is the maximum possible 
success probability of a PPT algorithm for solving the problem. A common un- 
derstanding is that the study of probabilistic algorithms makes sense only if the 
probability of success is non-negligible. While there have been a few results like 
|(il7ll)ll 211 711 811 !12.'il44l48j that look at the class of one-sided error probabilistic 
polynomial time (OPP) algorithms for decision problems with negligible suc- 
cess probability p, these are studied with the viewpoint of improving the bound 
on the exact worst-case complexity of the problem by repeating the algorithm 
0(1 /p) times and hence amplifying the success probability to a non-negligible 
quantity. However, we argue that PPT algorithms are interesting even if the 
success probability p is negligible and even if there exist other exact algorithms 
that run in time much less than 0(1 /p). 

Maurer EH considered a class of PPT algorithms for search problems given 
the oracle O. If the algorithm is allowed as many binary queries to the oracle 
as is the length of the solution/witness, then there is a trivial algorithm that 
solves the problem. Thus, this class of algorithms is looked at with the goal of 
minimizing the number of queries. The minimum number of queries required by 
a PPT algorithm for solving this problem with overwhelming probability is the 
oracle complexity (which is the same as the leakage-resilience limit) of the prob- 
lem. A motivation for looking at such an oracle, as pointed out by the author, is 
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to determine whether the difficulty of a certain problem can be concentrated in a 
few difficult bits leading to a new complexity theoretic classification of problems. 
This question was answered in the affirmative for the integer factorization prob- 
lem in m but it remains open for other computational problems. Consider, for 
instance, the problem of computing discrete logarithms modulo a prime q. One 
can see that the hardness of this problem and the integer factorization problem 
is closely related in the sense that almost all algorithms for solving the factoring 
problem have a variant that solves the discrete logarithm problem modulo a 
prime. A survey of this can be found in Chapter 3 of m- However, the hardness 
of the two problems seems to differ significantly in terms of the number of queries 
to O required in order to solve these problems in polynomial time. Factoring can 
be solved with a small number of queries but, to the best of our knowledge, there 
exists no algorithm that solves the discrete logarithm problem with a non-trivial 
number (i.e., substantially less than the solution size) of queries to O. Thus, 
finding the oracle complexity seems to be an interesting research area in itself. 

We introduce another related notion called the witness compressibility of a 
problem. This is the smallest size k such that there is a PPT reduction that 
reduces the witness size of a given instance to at most k with overwhelming 
probability. This quantity can be seen as the non-adaptive leakage-resilience 
limit of an assumption about the hardness of the problem. A problem is not 
resilient to k bits of non-adaptive leakage if and only if it is witness compressible 
up to k bits. 0 

Note that the three quantities, i.e., unpredictability entropy, oracle complex- 
ity, and witness compressibility can only be defined up to an additive logarithmic 
term (see Section 2.2). 


1.3 Our Contributions 

We show that for all search problems with an efficiently computable verification 
predicate, the following are equivalent. 

(i) There exists a PPT algorithm that solves a problem S with success proba- 
bility 0(2~ k ). 

(ii) There exists a PPT algorithm that makes at most k queries to O and solves 
the problem S with a constant success probability. 

(iii) There exists a PPT reduction that reduces the witness size of a given 
instance of S to at most k with constant probability. 

This implies that the three quantities, i.e., unpredictability entropy, oracle com- 
plexity, and witness compressibility are essentially equal. 

From this result, we get an exact characterization of the leakage-resilience of a 
cryptographic assumption about the hardness of some computational problem S 
in terms of the best possible PPT algorithm for S. A cryptographic assumption 
is robust up to k bits of leakage if and only if there is an algorithm that solves 

1 Witness compression should not be confused with instance compression that has 
been studied in 1291201 . 
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the corresponding problem with probability 0(2~ k ). This provides motivation 
for improving the success probability of PPT algorithms for various computa- 
tional problems. With this goal in mind, we present in this paper the best PPT 
algorithms for some problems relevant in cryptography - in particular for the 
learning with errors and lattice problems that have recently gained substantial 
importance in cryptography. 

The results of this paper also raise some interesting questions in complex- 
ity theory. One question this paper draws attention to is the following: Which 
problems have optimal witness size, or stated differently, which problems can 
or cannot be efficiently reduced to problems with a smaller witness size? Com- 
bining the results of M with our result gives evidence that the witness size 
of Circuit-SAT cannot be compressed under reasonable complexity theoretic as- 
sumptions. However, for instance if we look at the 3-SAT problem, which is also 
an NP-complete problem, combining our results with Schoning’s PPT algorithm 
gB| that solves 3-SAT with probability (4/3)“", we conclude that the witness of 
3-SAT can be compressed to a log 2 4/3-fraction, i.e., about 41.5% of its original 
size. 


1.4 Organization of This Paper 

In Section 2, we introduce the definitions of problems and complexity notions 
mentioned in the introduction. In Section 3, we prove the witness compression 
lemma and establish the equivalence of (i), (ii) and (iii) mentioned in Section 
1.2. In Section 4 we give/mention the best known PPT algorithms for some 
problems relevant in cryptography. In Section 0 we conclude and give a list of 
open problems that emerge from the results of this paper. 


2 Definitions 

2.1 Computational Search Problems 

A computational search problem S is characterized by an instance space X, a 
solution (or witness) space W, and a (verification) predicate V : X x W — ► 
{0, 1}. Each element of X and W is assumed to be represented as a bitstring. 
In this paper, unless otherwise stated, we consider problems for which there is 
a polynomial time algorithm that computes the predicate V. We call this set of 

problems vcE 

The instance space X can be partitioned into two sets: the set X\ and Xq of 
instances for which there exists a witness and for which there exists no witness, 
respectively, i.e., 


X i: ={xeX\3weW, V(x,w) = 1} , and 
X 0 := {x£X\ VioSW, V(s,tu)=0}. 


The name of this class, VC, is taken from [2E|. 
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The sets X\ and X$ are sometimes referred to as the set of YES instances and 
that of NO instances, respectively. 

We define 7^ : X\ 1— » N as the size of the smallest witness for a given x, i.e., 
lV{x) := „ e wd& u )=i H0 

A search problem is the problem of finding, for a given element x £ X\, a 
witness w G W such that V(x, w) = 1. By O, we denote the infinitely powerful 
oracle that can answer arbitrary binary questions. The oracle, and hence the 
language in which questions are asked can be defined freely, and hence need not 
be specified (it can be thought of as being universally quantified). 

Let jj:NxNh [ 0,1] and 5 :NxNkNU {0} be functions. 

Definition 1. Let S = (X, W, V) be a search problem. An algorithm T is called 
a (p, q)-solver for S if for all rn. n G N and for all x G Xj such that \x\ < m and 
l{x) < n, T makes at most q (m, n) queries to O, and with probability at least 
p(m,n), computes a G W such that V(x,w) = 1. 

In the above definition, T is called efficient if it runs in time polynomial in 
the size of input. 


2.2 Complexity Notions 

Now, we introduce the notion of witness compressibility. A problem is fc- witness 
compressible if there exists another predicate V' such that for any given instance 
of the problem, there exists a witness of length at most k with respect to V', 
and given this witness one can efficiently compute a witness with respect to V. 
More formally, 

Definition 2. A search problem S defined by S = (X,W, V) is (deterministic) 
k-witness compressible if there exists a witness set W 7 , a predicate V' : X x W t— > 
{0, 1}, and a polynomial time algorithm T : X xW 7 1— > W such that for all x G X \ , 

- l v \x) < k(\x\,'y v (x)). 

- For all w G W , V'(x,w) = 1 if and only if V(x,T(x,w)) = 1. 

As has been often seen in complexity theory, the best known PPT algo- 
rithm/reduction is significantly faster than the best known deterministic poly- 
nomial time algorithm/reduction, e.g. primality testing. In fact sometimes the 
former exists but the latter eludes discovery. Thus it is reasonable to look at the 
following randomized version of the above definition. 

Definition 3. A search problem S defined by S = (X,W, V ) is k-witness com- 
pressible within e if there exists a witness set kV 7 , an efficiently samplable random 
variable S that takes values from a set S, a set of predicates V’ s : X x W 7 {0, 1}, 
and polynomial time algorithms Ts : X x W 7 1— > W parametrized by S such that 
for all x € X\, 

3 We omit the predicate V if it is clear from the context. 
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- Pr (j v s(z} < k (\x\,^ v (a:)) ) > 1 - e(|x|, 7 V (cc))i 

- For all w G W',s G <S , V'(x,w) = 1 if and only if V(x,T s (x,w)) = 1. 

With these definitions in place we now define the three quantities that we 
show, in this paper, are (essentially) equal. Let k = k(m,n) be some integer 
valued function. 

Definition 4. A search problem S has unpredictability entropy at most k if there 
exists an efficient (2 _fc ,0)-solver for S. 

Definition 5. A search problem S has oracle- complexity at most k if there exists 
an efficient (1 — e, /c)-solver for S for some negligible function e(m, n)@ 

Definition 6. A search problem S is k-witness compressible if S is fc-witness 
compressible within e for some negligible function e(m, n). 

Note that in these definitions, k{m,n) is unique only up to an additive term 
of 0( log 2 to). Also note that we can have an alternative version of these defini- 
tions where, for instance, the unpredictability entropy is equal to k(m, n ) (again, 
up to an additive term of 0( log 2 m)) by saying that there exists an efficient 
(2- fc ( m ’”),0)-solver but no efficient (2 -fe ( m,n ) +w fi og 2 m ),0)-solver for S. However, 
it would be cumbersome to make these alternative definitions precise and so we 
avoid them. 

3 Relations between Complexity Notions for Search 
Problems 

3.1 Two Simple Results 

In this section, we give two simple relations between complexity notions for 
search problems. 

Lemma 1. For any search problem S and any functions p = p(m,n), q = 
q(m,n), and k = k(m,n ) < q(m,n), if there exists an efficient ( p,q)-solver 
for S, then there exists an efficient ( p ■ 2~ k , q — k)-solver for S. 

Proof. Let S be a search problem and let T be an efficient (p, g)-solver for S. 
Let T' be an algorithm that simulates T except that it guesses the answer to 
the last k oracle queries uniformly at random. Thus T' makes q — k queries and 
guesses the answer to the k queries correctly with probability 2~ k and hence 
succeeds in solving S with probability at least p-2~ k . 

It is folklore as observed by a number of papers, e.g., |4QI3l4j that non-adaptive 
leakage-resilience is the same as adaptive leakage-resilience. This can be seen in 
our terminology by the following lemma. 

4 The witness length is at most k with probability at least 1 — e, where k and e are 
both functions of |x| and {x). 

5 The term negligible, like the term efficient, is in terms of the input size m. So, for 
any m large enough, and any n, and any polynomial P(-), e(m,n) < 1 / P(m). 
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Lemma 2. For any functions k = k(m,ri) and e = e(m, n), every search prob- 
lem is k-witness compressible within e if and only if it has an efficient (1 —e,k)- 
solver. 

Proof. ( =>• ) The idea is that, with probability 1 — e, the witness size of an 
instance is reduced to size k, and hence we can use k queries to O to obtain a 
witness for the resulting instance. 

Let S = (X, W, V) be the search problem. There exists some W , ! V' s : X x 
W 7 i-> {0, 1} and Ts : X X W 7 W as in Definition 0 We give a polynomial 
time algorithm T that is a (1 — e, fc)-solver for S. On input x £ X, T generates 
S = s and then uses k queries to O to ask for w', the string formed from the last 
k bits of a smallest length witness w G W 7 (if it exists) such that V{, (x, w) = 1. 
Then the algorithm outputs T s ( x,w'). 

Let to = | a; | and n = {x). With probability at least 1 — e, S = s such 

that the conditions of Definition 0 hold. Thus, w' = w since 7 U (x) < k. Hence 
Vf(x,w') = 1, which implies V(x,T s (x,w')) = 1. 

( <= ) Let T be a (1 — e, fc)-solver for S. Define W 7 as the set of all bitstrings 
and let S denote the random choices made by T . Define T s (x,w) to be the 
output of T on input x, S = s and the result of the oracle queries equal to w. 
Further, define Vf(x,w ) as V (x, T s (x. w)). This gives the desired result. 


3.2 The Witness Compression Lemma 

We state a few lemmas that we need in order to prove the main lemma of this 
section. 

Lemma 3. Let Y \ , . . . , Y t be pairwise independent binary random variables where 
Pr ( Yi = 1) = p for 1 < i < t. Then 


t 2 v 2 1 

Pr(3ie {l,...,f} : Yi = 1) > max(fp 1 — — ) 

Proof. We give two ways to bound the term on the left. Using Bonferroni in- 
equalities m , 

Pr (3* € {1, . . . , t} : Yi = 1) = Pr (Yi = 1 V Y 2 = 1 V • • • V Y t = 1) 

> YI Pr (Yi = 1) - YI Pr = lAy *2=l) 


t(t- 1) 


Now, let Y = Y\ + • • • + Y t . The expected value of Y is E(Y) = tp and the 
variance of Y is V ar(Y) = tp( 1 — p). Thus, 
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Pr (3i € {1, . . . , t} : Y t = 1) = 1 - Pr(Y = 0) 

> 1-Pr(|y-E(y)[ > E(Y)) 

> i VarjY) 

~ E{YY 


where the second last inequality follows from the Chebyshev’s inequality. 

Lemma 4. Let ¥ be a finite field of cardinality 2 l , let <j> be a bijection from F to 
{0, 1}^, and let T c {0, 1 Further, letyi, . . . ,yt be some fixed distinct elements 
of F. Then, for randomly chosen A, B F, the probability that (j> ( Ay t + B) gT 
for some 1 < i <t is at least max — *^j 2 , 1 — @ 


Proof. Define binary random variables Y\ r . . , Y t such that Yj = 1 if 6 ( Ayi + B) e 
T. Thus, 


Pr(Y i = 1) = ^ , 


and it can be easily seen that the Yfs are pairwise independent random variables. 
Therefore, by Lemma O the probability that (j) ( Ayi + B) G T for some 1 < i < t 
is at least 


max 


t\T\ _2* 

1 2 i 2(2^) 2 ’ t|T| ' 


Now, we state the main lemma of this section. 


Lemma 5. [Witness Compression Lemma] Let k = k(m,n) and k! = 
k'(m,n ) > k(m,n) be any functions. Every search problem with an efficient 
(2 -fc ,0 )-solver is k! -witness compressible within 2 J_ k ■ 


Proof. Let S = (T, W, V) be a search problem and let T be an efficient (2 _fc , 0)- 
solver for S. For a given input instance x G X\, let R G {0, 1 Y denote the random 
choices made by T . Then, 


Pr(Y(a;,.F(a;,.R)) = l)>2- fc . 


(1) 


We define the set 1Z ( x ) as the set of r such that T is successful in finding a 
witness for x for this choice of r, i.e., 

E.(x) = {rG {0,1}^ | V(x,T (x,r)) = 1} . 

From (1), it follows that j7Z ( x ) | > 2 l ~ k for all x G X 1 . 

Now, let F, <j>, A, B and yi , . . . , yt be as in LemmaQ] Thus, by using the second 
bound from Lemma E| with t = 2 k , and T = 1Z(x), we get 

Pr (31 < i < 2 k> : <t>(A yi + B) G R{x)) > 1 - . 

6 Note that the result of this lemma will hold for any pairwise independent random 
function from F to itself, instead of Ay + B. 
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Then, let S = (A, B) be uniformly distributed over F x F. Furthermore, define 

W = { 0 , 1 }*, 

T s (x,w) = T(x, <f){Ay w + £?)), and V^x,w) = V(x,T s (x,w)) . 

In the above argument, we can also use the first bound from Lemma 0 to show 
that the problem is k - witness compressible within 


3.3 The Main Result 

Combining the results of Lemma Q] El anti El we get the following result: 

Theorem 1. For any search problem S, and for any functions k = k(m, n) and 
c = c(m,n) = w(log 2 m): 

— IfSis k-witness compressibile, then S has oracle complexity at most k. 

— If S has oracle complexity at most k, then S has unpredictability entropy at 
most k. 

— If S has unpredictability entropy at most k, then S is k + c-witness compress- 
ibile. 

Note that the results of this section are useful only if k(m,n) = w(log 2 m) be- 
cause otherwise the corresponding search problem is solvable in expected polyno- 
mial time. Thus, without loss of generality, we can assume fc(m, n) = w(log 2 m) 
and then choosing c(m, n) as any function asymptotically smaller than k but 
larger than log 2 m (e.g. c = Vk), we get that the three quantities in Theorem [T] 
are essentially equivalent for functions in k + o(k). 

Remark 1 : Theorem Q implies that an assumption of the hardness of a search 
problem S is secure up to k bits of leakage of arbitrary information if and only if 
there is no PPT algorithm that succeeds in solving S with probability 0(2~ k ). 
However, the hardness assumptions we consider are worst case assumptions and 
not average case assumptions, which are more relevant in practice. Note that this 
is not a disadvantage, since our result implies a corresponding result for average 
case assumptions, just by restricting the set of instances of the problem to those 
where the problem is successful with significant (though possibly exponentially 
small) probability. 

Remark 2: A similar result as Theorem ^ can also be proved for decision prob- 
lems (using essentially the same proofs) but for that we need to be more careful 
in defining the oracle complexity of a problem and also the success probability 
of a PPT algorithm and we do not do so in this version of the paper. 

4 PPT Algorithms for Problems Relevant in 
Cryptography 

In this section, we give the best PPT algorithms known for various search prob- 
lems relevant in cryptography. We look in more detail at the learning with errors 
and lattice problems that have been of interest in cryptography in recent years. 
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4.1 Factoring and Discrete Logarithms 

There is a sequence of results j47ll 11.11 )j that show that partial information about 
p and q is enough to factor the RSA modulus pq. The best result in this direction 
is the result in !2H that, under a conjecture, shows that there is a polynomial 
time algorithm that factors N given e log 2 N questions to O where e is some 
arbitrary constant. Equivalently, there exists a PPT algorithm that factors N 
with probability 2 _elog2JV . 

Even though the problem of computing discrete logarithms modulo a prime is 
closely related to the problem of factoring integers, to the best of our knowledge, 
there exists no non-trivial PPT algorithm for solving discrete logarithms in Z p . 
The same holds for the Computational Diffie Heilman problem. 

It would be interesting to come up with an algorithm for solving discrete 
logarithm modulo a prime p that runs in time polynomial in log 2 p and succeeds 
with probability better than the trivial poIy 0 »fi 2 p> . 

4.2 Lattices 

Preliminaries An n-dimensional lattice is a discrete additive subgroup of R". 
A set of linearly independent vectors that generates a lattice is called a basis 
and is denoted by B = {bi, . . . , b n } c R n . The lattice A generated by the basis 
B is 



For any point t € R n , the distance of t to the closest point in the lattice is 


written as dist(t, A). 


The Gram Schmidt orthogonalization of B, denoted as {bi, . . . , b n }, is defined 


as 


b, = b, — pi jbj, where /q j = ^ 


By Ai (A), we denote the length of the shortest non-zero vector of the lattice 
A. For this paper, the lengths are always assumed to be in the 1 2 norm. If the 
lattice is clear from the context, then we write it simply as Ai. It is well known 
and can be shown easily that 


Ai > min ||bj|| 


Definition 7. A basis B = {bi, . . . ,b n } is a 5-LLL Reduced Basis jSSj if the 
following holds: 


- V 1 < j < i < n, pi tj < §, 

-VI <i <n, <5||bj|| 2 < H/q+qjbj + b i+ i|| 2 . 
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We choose S = | and then it can be easily seen (e.g., refer to ESI) from the 
above definition that for a £-LLL reduced basis, VI < i < n, |b,;|| < 'j2\\h, + \ ||. 
Since there is an efficient algorithm m to compute an LLL-reduced basis, we 
assume, unless otherwise stated, that the given basis is always LLL-reduced and 
hence satisfies the above mentioned properties. 

Now, we define some problems over lattices that we are interested in for this 
paper. 

Definition 8. The shortest vector problem is defined as follows: Given a basis 
B of an n-dimensional lattice A = £(B), it is required to find a vector v £ A 
such that || v|| = Ai. 

A decision variant, whose hardness many cryptographic schemes are based 
on, is the gap shortest vector problem defined as follows. 

Definition 9. The gap shortest vector problem GapSVP 7 for some 7 = 7(n) is 
defined as follows: Given a basis B of an n-dimensional lattice A = £(B) and 
d > 0 such that d [A1/7, Ai), decide whether d > Ai or d < A1/7. 

Next we define the closest vector problem (CVP) and bounded distance de- 
coding (BDD) which is a special case of the CVP. 

Definition 10. The closest vector problem CVP is defined as follows: Given a 
basis B of an n-dimensional lattice A = £(B), and t £ R", find ve/1 such that 
|| v - 1 1| = dist(t, A). 

Definition 11. The a-bounded distance decoding problem BDD a for some 0 < 
a = a(n) < 1/2 is defined as follows: Given a basis B of an n-dimensional 
lattice A = £(B), and tel" such that dist (t , A) < a\\, find v £ A such that 
|| v — 1 1| = dist(t, A). 

Shortest Vector Problem In this section, we give a polynomial time algorithm 
that computes the shortest vector of a lattice with probability 2 (n + l)(n+2)/4 • This 
algorithm, of course, also solves the GapSVP problem. 

Theorem 2. There exists a polynomial algorithm that, given a basis B of a 
lattice A = £( B), finds the shortest vector of A with probability 2 ( n+1 )} n+2 )/i ■ 
Proof. Since an LLL-reduced basis can be computed efficiently, we assume with- 
out loss of generality that B is an LLL-reduced basis. Let the shortest vector u 

of the lattice be u = mbi + a 2 t >2 H 1- a„b„. Since bi = bi is a lattice vector, 

therefore ||u|| < ||bi||. By the property of the LLL basis, ||bi|| < 2^ _1 V 2 ||bj||, 
which implies ||uj| < 2^ — 1 ^/ 2 ||bi || . Thus, | a.* | < 2^ _1 V 2 . The component ai is 
determined by the coefficients of b,, . . . ,b n in u. Thus, given the coefficients 
of b ra , . . . ,bj + i, the coefficient of b, can be chosen correctly with probability 
1/(2 ■ 2^ _1 V 2 ) = 2~V +1 V 2 . This gives a polynomial time algorithm that suc- 
ceeds in finding the shortest vector with probability 


JJ 2 — (i+l)/2 = 2 — (n+ l)(n+2)/4 
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Closest Vector Problem In this section, we give a polynomial time algorithm 
that solves the closest vector problem with probability 2tl ( n +p/ 4 . 

Theorem 3. There exists a polynomial time algorithm that, given a basis B 
of an n-dimensional lattice A = £(B), and t £ M n , finds v £ A such that 
|[ v — 1 1| = dist(t,A) with probability 2n (J+i)/i ■ 

Proof. Let t = p-|b-| + . . . p n b„ and let the closest vector to t in the lattice 
be u = aibi + a 2 b 2 + • • • + a„b„. Babai’s algorithm |^j returns a vector x 
such that ||x — t|| < i2"/ 2 ||b n ||. Thus ||u — t|| < ||x — t|| < ~2 n / 2 ||b n ||, which 
implies \a n — p n \ < |2"/ 2 . Thus the algorithm proceeds as follows: Choose a n 
rmiformly at random from (p n — \2 n / 2 , p n + |2"/ 2 ) and recursively compute the 
closest vector to t — a n b n in the lattice £(b-| , . . . , b„_i). The probability that 
(Si, , a n ) = (oi, . . . , a n ) is 




= 2 -"(«+ 1 )/ 4 . 


Bounded Distance Decoding (BDD) Problem The algorithm given in the 
previous section, of course, also solves the BDD problem since BDD is a special 
case of the closest vector problem. However, there exists an algorithm for BDD Q 
with a larger success probability an2 ( n+ i )( n+2 )/4 as given below. 

Theorem 4. There exists a polynomial time algorithm that, given a basis B of 
an n-dimensional lattice A = C{ B), and tgl" such that dist(t,A) < aAi for 
some 0 < a(n) < 1/2, finds v £ A such that ||v — 1|| = dist( t, A) with probability 

a „ 2 (n + l)(»+2)/4- 


Proof. Since an LLL-reduced basis can be computed efficiently, we assume with- 
out loss of generality that B is an LLL-reduced basis. Let t = tibi +t 2 b >2 H b 

t„b„ and the closest vector u of the lattice be u = uibi + U 2 b 2 + 1- u n b n . 

Since bi = bi is a lattice vector, therefore ||u — t|| < a||bi ||. By the property 
of the LLL basis, ||bi|| < 2(* -1 )/ 2 ||bj||, which implies ||u — t|| < 2^ _1 i/ 2 a||bj||. 
Thus, \ui~ ti\ < a2i* _1 i/ 2 . The component Ui is determined by the coefficients of 
bi, . . . , b„ in u. Thus, given the coefficients of b n , . . . , b, + -i , the coefficient of bi 
can be chosen correctly with probability l/(2a • = 2 _ (® +1 )/ 2 q: _ 1 . This 

gives a polynomial time algorithm that succeeds in finding the shortest vector 
with probability 


n. 


a n2(n+l)(n+2)/4 


4.3 Learning with Errors and Its Relation to Lattice Problems 

In this section, we mention the best PPT algorithm for the learning with errors 
(LWE) problem and its relation to the lattice problems with respect to leakage. 
The proofs and other details are omitted. 
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Theorem 5. For some function (3 = /3(n) such that (3q = w(log 2 n), /3(n) = 
o(l/log 2 n) and m>n, there is a polynomial time algorithm that solves search- 
LWE n qm ^ p with probability (fdqlog 2 n)~ n for a constant fraction a of the inputs. 

Note that it is straightforward to interpret the above mentioned algorithms for 
LWE and lattice problems as PPT algorithms that succeed with constant prob- 
ability given — log 2 p queries to O (or equivalently — log 2 p bits of leakage), 
where p is the success probability of the algorithm. We do not need the witness 
compression lemma to make this conclusion. The witness compression lemma 
however implies that if there is any PPT algorithm for any of these problems 
that succeeds with probability p' < p, then there is a PPT algorithm that makes 
— log 2 p' queries to O and succeeds with constant probability. 

It is common practice to base the LWE-based schemes on the hardness of 
lattice based schemes. In the same spirit, by a careful inspection of the reduction 
of BDD to LWE from pEi| . we get the following result: 

Theorem 6. If there exists a PPT algorithm that solves s earch-L WE n . q : rn . ,/, „ 
with probability p then there exists a PPT algorithm that solves BDD with 
probability cp^"/ loS29 l) for some constant c. 

By Theorem El we can base the LWE assumption with leakage on the expo- 
nential hardness of the BDD assumption as follows. 

Corollary 1. If there exists no polynomial time algorithm that solves BDD 
with probability 2~ Sn , then the search-LWE n}q}m ^ 0 assumption is robust to 
Sn log 2 q — o(log 2 q) bits of leakage. 

5 Conclusions and Open Problems 

We show that the unpredictability entropy of a problem is equal to its leakage- 
resilience limit. This provides motivation to look at PPT algorithms for problems 
relevant in cryptography with maximum possible success probability. A question 
that is wide open is to what extent can the success probability of PPT algo- 
rithms be improved for various problems like the discrete logarithm problem, 
search LWE problem or various lattice problems. Note that if we repeatedly run 
algorithms for lattice problems given in Section 5 to amplify the success proba- 
bility to a non- negligible quantity, we get algorithms with running time 2°( n \ 
which is much worse than the best known algorithms that run in time 2 °W 
|I1 >.‘591 . Due to this large gap, one might expect that it should be possible to im- 
prove the success probability of a PPT algorithm and this has eluded discovery 
because of lack of attention to this question. 

The witness compression lemma implies that the best known PPT algorithms, 
for instance f6!7l911 211 711 811 912,'ij , immediately give a lower bound on the maxi- 
mum witness compressibility of the corresponding problems. 

The results of nn give evidence that perhaps Circuit-SAT is not witness 
compressible to any non-trivial witness size. In fact the result of which 


The Leakage-Resilience Limit of a Computational Problem 699 


shows that there exists no non-trivial PPT algorithm for Circuit-SAT (and hence 
for all NP problems) under reasonable complexity assumptions, can be proved 
by proving a decision version of the witness compression lemma. If there exist 
non-trivial PPT algorithms for all NP problems, we can repeatedly apply the 
witness compression lemma until the witness size is reduced to a constant, thus 
resulting in a sub-exponential time algorithm for any NP problem, which is not 
believed to be possible. It is interesting to look at the question of which are the 
other problems that, like Circuit-SAT are not witness compressible. The discrete 
logarithm problem modulo a prime seems to be a candidate. 

Another interesting research direction is to look at PPT-reductions, i.e., PPT 
algorithms for solving one “hard” problem given a PPT algorithm for solving 
another problem (with possibly negligible success probability). Consider, for in- 
stance, the reduction of jSH| from GapSVP to BDD. This reduction was derived 
from the main idea of in obtaining the first public key cryptosystem whose 
hardness was based on the GapSVP. This reduction does not seem to translate 
easily to the case of PPT algorithms, since given a BDD oracle that solves the 
problem with an exponentially small probability, it is not clear how to use it to 
solve the GapSVP problem. If such a reduction was possible, we could base the 
leakage-resilience of the search LWE assumption on the exponential hardness of 
the GapSVP problem. 
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Abstract. We present a generic method to secure various widely-used 
cryptosystems against arbitrary side-channel leakage, as long as the leak- 
age adheres three restrictions: first, it is bounded per observation but in 
total can be arbitrary large. Second, memory parts leak independently , 
and, third, the randomness that is used for certain operations comes from 
a simple (non-uniform) distribution. 

As a fundamental building block, we construct a scheme to store a 
cryptographic secret such that it remains information theoretically hid- 
den, even given arbitrary continuous leakage from the storage. To this 
end, we use a randomized encoding and develop a method to securely 
refresh these encodings even in the presence of leakage. We then show 
that our encoding scheme exhibits an efficient additive homomorphism 
which can be used to protect important cryptographic tasks such as 
identification, signing and encryption. More precisely, we propose effi- 
cient implementations of the Okamoto identification scheme, and of an 
ElGamal-based cryptosystem with security against continuous leakage, 
as long as the leakage adheres the above mentioned restrictions. We prove 
security of the Okamoto scheme under the DL assumption and CCA2 se- 
curity of our encryption scheme under the DDH assumption. 


1 Introduction 

In the last years, a large body of work attempts to analyze the effectiveness 
of side-channel countermeasures in a mathematically rigorous way. These works 
propose a physical model incorporating a (mostly broad) class of side-channel at- 
tacks and design new cryptographic schemes that provably withstand them under 
certain assumptions about the physical hardware (see, e.g., |24lllll2llbl9»512;f| 
and many more). By now we have seen new constructions for many important 
cryptographic primitives such as digital signature and public key encryption 
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schemes that are provably secure against surprisingly broad classes of leakage 
attacks. 

Unfortunately, most of these new constructions are rather complicated non- 
standard schemes, often relying on a heavy cryptographic machinery, which 
makes them less appealing for implementations on computationally limited de- 
vices. In this work, we take a different approach: instead of developing new 
cryptographic schemes, we ask the natural question whether standard, widely- 
used cryptosystems can be implemented efficiently such that they remain secure 
in the presence of continuous bounded leakage. We answer this question affirma- 
tively, and show a generic way that “compiles” various common cryptosystems 
into schemes that remain secure against a broad class of leakage attacks. 

Similar to earlier work, we make certain restrictions on the leakage. We follow 
the work of Dziembowski and Pietrzak m , and allow the leakage to be arbitrary 
as long as the following two restrictions are satisfied: 

1. Bounded leakage: the amount of leakage in each round is bounded to A 
bits (but overall can be arbitrary large). 

2. Independent leakage: the computation can be structured into rounds, 
where each such round leaks independently (we define the notion of a “round” 
below). 

Formally, this is modeled by letting the adversary in each round choose a poly- 
nomial time computable leakage function / with range {0, 1} A , and then giving 
her /(t) where r is all the data that has been accessed during the current round. 
In addition to these two restrictions, we require that our device has access to a 
source of correlated randomness generated in a leak- free way - e.g., computed 
by a simple leak free component. We elaborate in the following on our leakage 
restrictions. 

On the bounded leakage assumption. Most recent work on leakage re- 
silient cryptography requires that the leakage is bounded per observation to 
some fraction of the secret key. This models the observation that in practice 
many side-channel attacks only exploit a polylogarithmic amount of informa- 
tion, and typically require thousands of observations until the single key can 
be recovered. This is, for instance, the case for DPA-based attacks where the 
power consumption is modeled by a weighted sum of the computation’s inter- 
mediate values. We would like to mention that all our results also remain true 
in the entropy loss model, i.e., we do not necessarily require that the leakage 
is bounded to A bits, but rather only need that the min entropy of the state 
remains sufficiently high even after given the leakage. 

On independent leakages. In this paper, we assume that the memory of 
the device is divided into three parts L, R and C where (L, C) and (R. C) leak 
independently. To use the independent leakage assumption, we structure the 
computation into rounds, where each round only accesses either ( L , C) or (R, C ). 
Similar assumptions have been used in several works {2411 112712111 21 . 


On leak- free components. We require that devices that implement our 
schemes have access to a source of correlated randomness sampled in a leak- 
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free way. Such a source can, for instance, be implemented by a probabilistic 
leak-free component that outputs the correlated randomness. Of course, the as- 
sumption of a leak-free component is a strong requirement on the hardware, but 
let us argue why in our particular case it still may be a feasible assumption. As 
in earlier works that made use of leak-free components flFJIMKhllldl , we require 
that our component leaks from its outputs, but the leakage function is oblivi- 
ous to its internals. To be more concrete, in the simplest case our component 
O outputs two random vectors A,B <— F" (with F being a finite field and n 
being a statistical security parameter) such that their inner product is 0, i.e., 
JT A, ■ Bj = 0. We require that A gets stored on one part of the memory, while 
B gets stored on the other, thus, we require that A and B leak independently. 

Our component O exhibits several properties that are beneficial for implemen- 
tations. First, O is simple and small. It can be implemented in size linear in n, as 
one simply needs to sample uniformly at random vectors A and (Bi, . . . , B n _i) 
and computes the last element B n such that JT A, ■ Bj = oQ Second, O is 
used in a very limited way, namely, it is needed only when the secret key gets 
refreshed (cf. Section 1 1 . 21 for further discussion on this). Finally, O does not 
take any inputs, and hence its computation is completely independent of the 
actual computation (e.g., encryption or signing) that is carried out by the de- 
vice. This not only allows to test the component independently from the actual 
cryptoscheme that is implemented, but moreover makes it much harder to attack 
by side-channel analysis, as successful attacks usually require some choice (or at 
least knowledge) over the inputs. 


1.1 Leakage Resilient Standard Cryptographic Schemes 

While in the last years tremendous progress has been made in the design of new 
cryptographic schemes with built-in leakage resilience, two common criticisms 
are frequently brought up: 

1 . Cryptographic schemes are rarely used stand-alone, but more often are part 
of an industrial standard. Even if desirable, it is unlikely that in the near 
future these standards will be adjusted to include recent scientific progress. 

2. Many of the current leakage resilient cryptoschemes are complicated, rely on 
non-standard complexity assumptions and are often rather inefficient. 

In this work, we are interested in techniques that allow for efficient leakage 
resilient implementations of widely-used cryptographic schemes. Before we given 
an overview of our contributions in the next section, we discuss some related 
literature that considered a similar question. 

Leakage Resilient Circuit Compilers. One fundamental question in leak- 
age resilient cryptography is whether any computation can be implemented in a 
way that resists certain side-channel leakages. This question has been studied in 
a series of works [1 !Jll.'il20fT7)| and dates back to the work of Ishai et al. [E3- In 

1 For simplicity, we assume that L n is non-zero. 
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particular, the works of Juma and Vahlis I2DI and Goldwasser and Rothblum [TC] 
study the question whether any computation can be implemented in a way that 
withstands arbitrary polynomial-time computable leakages. As a building block 
they use a public-key encryption scheme and encrypt the entire computation of 
the circuit. More precisely, the approach of Juma and Vahlis makes use of fully 
homomorphic encryption, while Goldwasser and Rothblum generate for each 
Boolean wire of the circuit a new key pair and encrypt the current value on the 
wire using the corresponding key. We would like to emphasize that all circuit 
compilers (except for the one of Ishai et al.) require leak-free components. Notice 
also that the work of Goldwasser and Rothblum and Juma and Vahlis requires 
the independent leakage assumption. 

Leakage Resilient ElGamal. While circuit compilers allow to secure any 
(cryptographic) computation against leakage, they typically suffer from a large 
efficiency overhead. A recent work of Kiltz and Pietrzak m makes progress in 
this direction. The authors show that certain standard cryptographic schemes 
can be implemented efficiently in a leakage resilient way. The main weakness of 
this work is that the security proof is given in the generic group model. 

1.2 Our Contribution 

In this paper, we show a generic method to implement various standard cryp- 
tographic schemes that are provably secure in the above described leakage model. 
More precisely, we propose an efficient and simple implementation of the Okamoto 
authentication/signature scheme and of an ElGamal-based encryption scheme, 
and prove the security of our implementations under continuous leakage attacks. 
We also discuss why our techniques are fairly general and may find applica- 
tions for the secure implementation of various other cryptographic schemes. As 
a fundamental tool, we introduce an information theoretically secure scheme to 
refresh an encoded secret in the presence of continuous leakage. We detail on 
our results below. 

Leakage Resilient Refreshing of Encoded Secrets. Recently, Davi et 
al. jS] introduced the notion of leakage resilient storage (LRS). An LRS encodes a 
secret S such that given partial knowledge about the encoding an adversary does 
not obtain any knowledge about the encoded secret S. One of their instantiations 
relies on the inner product two-source extractor introduced in the seminal work 
of Chor and Goldreich 0. In this scheme the secret S is encoded as a pair 
(L, R) e F" x F", where F is some finite field, and (L,R) := JV L t ■ R, = S. 
Unfortunately, the construction of Davi et al. has one important weakness: it 
can trivially be broken if an adversary continuously leaks from the two parts L 
and R. The first contribution of this paper is to propose an efficient refreshing 
scheme for the inner product based encoding. 

This is achieved by dividing the memory of the device into three parts L, R 
and C, where initially (L, R) are chosen uniformly subject to the constraint that 
(L, R) = S, and C is empty. Our refreshing scheme Refresh takes as input (L. R) 
and outputs a fresh encoding ( L',R ') of S. The computation of Refresh will be 
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structured into several rounds, where in each round we only touch either ( L , C ) 
or ( R,C ), but never L and R at the same time. We will allow the adversary 
to adaptively leak a bounded amount of information from ( L,C ) and ( R,C ). 
In fact, this is the only assumption we make, i.e., we do not require that the 
rounds of the computation leak independently. Since in our protocol the third 
part C is only used to “communicate” information between L and R, we will 
usually describe our schemes in form of a 2-party protocol: one party, P\_, is 
controlling L, while the second party, Pr, holds R. The third part C is used to 
store messages that are exchanged between the parties. Hence, instead of saying 
that we allow the adversary to retrieve information from ( L , C) and (R. C ), we 
can say that the leakage functions take as inputs all variables that are in the 
view of P|_ or Pr. 

Our protocol for the refreshing uses the following basic idea. Suppose initially 
Pl holds L and Pr holds R with (L, R) = S, then we proceed as follows: 

1. Pl chooses a vector X that is orthogonal to L, i.e., (L, X) = 0, and sends it 
over to Pr. 

2. Pr computes R' := R + X and chooses a vector Y that is orthogonal to R' 
and sends it over to Pl. 

3. Pl computes L’ := L + Y. 

The output of the protocol is ( L',R '). By simple linear algebra it follows that 
{L,R) = {L' ,R!) = S. One may hope that the above scheme achieves security 
in the presence of continuous leakage. Perhaps counterintuitive, we show in the 
full version of this paper that this simple protocol can be broken if the leakage 
function can be evaluated on (L, X, Y ) and (P, X. Y). To avoid this attack, we 
introduce a method for Pl to send a random X to Pr in an “oblivious” way, 
i.e., without actually learning anything about X, besides the fact that X is 
orthogonal to L (and symmetrically a similar protocol for Pr sending Y to Pl). 
We propose an efficient protocol that achieves this property by making use of 
our source of correlated randomness (A, B ) *— O. Notice that even given access 
to such a distribution, the refreshing of an encoded secret is a non-trivial task, 
as, e.g., just computing L' = L + A and R' = R+B does not preserve the secret. 

The protocol that we eventually construct in Figure Q solves actually a more 
general problem: we will consider schemes for storing vectors S 6 F m , and the 
encoding of a secret S will be a random pair (L, R) where L is a vector of length 
n and R. is an n x to- matrix (where n to is some parameter) , and S = L ■ R. 
Leakage Resilient Authentication and Signatures. We then use our 
protocol for refreshing an encoded secret as a building block to efficiently im- 
plement standard authentication and signature schemes. More concretely, we 
show that under the DL assumption a simple implementation of the widely-used 
Okamoto authentication scheme is secure against impersonation attacks even if 
the prover’s computation leaks continuously. Using the standard Fiat-Shamir 
heuristic, we can turn our protocol into a leakage resilient signature scheme. 

At a high level, our transformation of the standard Okamoto scheme encodes 
the original secret keys with our inner product based encoding scheme. Then, 
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we carry out the computation of the prover in “encoded form”, and finally after 
each execution of the prover, we refresh the encoded secrets using our leakage 
resilient refreshing scheme. To carry out the computation of the prover in an 
encoded, we use the following two observations about the inner product based 
encoding: 

1. it exhibits an additive homomorphism, i.e., if we encode two secrets Si, S 2 as 
(L, Q) and (L, R), then (L. Q + R) represents an encoding of Si + S 2 . More- 
over, if Q and R are stored on the same memory part, then this computation 
can be carried out in a leakage resilient way. 

2. for two secrets Si and S 2 and two group generators gi and </ 2 , it allows to 
compute gf 1 ■ <?f 2 in a leakage-resilient way. To illustrate this, suppose that 
Si is encoded by ( L , Q) and S 2 is encoded by (L, R). A protocol to compute 
gf 1 ■ g‘ 2' 2 proceeds then as follows. Pr computes the vector A := gf g^ = 
(g? 1 g‘ 2 1 ■ ■ ■ ■ ■ 9\ n " ailf l sends it over to P\_. Next, P\_ computes the vector 
B := A L = (A[ J1 , . . . ,A% n ) and finally it computes gf 1 g^ 2 

Together with our scheme for refreshing the inner product encoding, these both 
basic components suffice to implement the standard Okamoto authentication 
scheme in a leakage resilient way (cf. Section 0} . 

Leakage Resilient CCA2-secure encryption. As a third contribution, we 
show that a simple and efficient variant of the ElGamal cryptosystem can be 
proven to be CCA2 secure in the RO model even if the computation from the 
decryption process leaks continuously. We would like to emphasize that we allow 
the leakage to depend on the target ciphertext. We achieve this by exploiting 
the independent leakage assumption and carry out the computation using the 
above described protocol for secure exponentiation. We would like to note that 
even though our scheme uses a simulation sound (SS) NIZK, our construction 
is rather efficient, as SS-NIZKs can be implemented efficiently via the Fiat- 
Shamir heuristic. Notice that the Fiat-Shamir heuristic is the only place where 
the random oracle assumption is used. 

A GENERAL PARADIGM FOR LEAKAGE RESILIENT IMPLEMENTATIONS. We ob- 
serve that our methods for implementing cryptographic schemes is fairly general. 
Indeed, the two main properties that we require are 

1. The secret key of the cryptosystem is an element in a finite field, and the 
scheme computes only a linear function of the secret keys, and 

2. The secret key is hidden information theoretically even given the transcript 
that an adversary obtains when interacting with the cryptosystem. 

Various other cryptosystems satisfy these properties. For instance, we can use 
our techniques to construct a (rather inefficient) leakage resilient CCA2-secure 
encryption scheme that is provably secure in the standard model. 

Comparison to Other Related Work We would like to mention that in a 
series of important recent works [91512 512 2H| new schemes for leakage resilient 
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signing and encryption (CPA-secure) have been proposed. While these works 
have an obvious advantage over our work by considering a more powerful leak- 
age model, we would like to point out that these schemes are non-standard, 
rather inefficient and rely on non-standard assumptions. Very recently, Dodis et 
al. m introduced a method for storing and refreshing a secret. Their construc- 
tion does not require leak-free components, but is rather inefficient and relies on 
computational assumptions. Moreover, it is not clear if it can be used for other 
purposes such as implementing standard cryptosystems. 

2 Preliminaries 

For a natural number n the set {1, . . . , n} will be denoted by [n]. If X is a random 
variable then we write x < — X for the value that the random variable takes when 
sampled according to the distribution of X. In this paper, we will slightly abuse 
notation and also denote by X the probability distribution on the range of the 
variable. V is a row vector, and we denote by V T its transposition. We let F be 
a finite field and for m, n £ N, let F mx " denote the set of m x n-matrices over F. 
Typically, we use M, ; to denote the column vectors of the matrix M. For a matrix 
M £ F mxn and an m bit vector V £ F m we denote by V ■ M the n-element vector 
that results from matrix multiplication of V and M. For a natural number n by 
(0") we will denote the vector (0, . . . , 0) of length n. We will often use the set of 
non-singular m x m matrices denoted by NonSing mXm (F) c F mXm . 

Let in the rest of this work n be the statistical and k be the computational 
security parameter. Let G be a group of prime order p such that log 2 ip) > k. 
We denote by (p, G) <— G a group sampling algorithm. Let g be a generator 
of G, then for a (column/row) vector A £ Z“ we denote by g A the vector 
C = (g Al , . . . , g An ). Furthermore, let C B be the vector (g AlBl , . . . , g AnBn ). 

Let Xo, Xi be random variables distributed over X and Y be a random vari- 
able over a set y , then we define the statistical distance between Vo and X\ as 
A(X 0 ; Vi) = J2xex V 2 I Pt I X o = *]-Pr[JCi. =x]\. Moreover, let A(X 0 ; X x \Y) = 
A((V,X 0 ); (Y,X i)) be the statistical distance conditioned on Y. 

2.1 Model of Leakage 

In this work, we assume that the memory of a physical device is split into two 
parts, which leak independently. We model this in form of a leakage game , where 
the adversary can adaptively learn information from each part of the memory. 
More formally, let L,R £ {0, 1} S be the two parts of the memory, then for a 
parameter A £ N, we define a A -leakage game played between an adaptive adver- 
sary A - called a A -limited adversary - and a leakage oracle f2(L, R) as follows. 
For some t £ N, the adversary A can adaptively issue a sequence {(/j, Xi)}* =1 of 
requests to the oracle f2(L, R), where £ {L, R} and /,; : {0, 1} S —* {0, 1} A< . For 
the ith query the oracle replies with fi(xi). The only restriction is that in total 
the adversary does not learn more than A bits from each L and R. In the follow- 
ing, let Out(A, Q(L,R)) be the output of A at the end of this game. Without 
loss of generality, we assume that Out(A, Q(L, R)) := (fi(xi ), . . . , ft(xt))- 
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Leakage from Computation. So far, we discussed how to model leakage from 
the memory of a device, where the memory is split into two parts ( L , R). If the 
physical device carries out “some computation” using its memory ( L,R ), then 
this computation leaks information to the adversary. We model this in form of 
a two-party protocol 77 = (Pi, Pr) executed between the parties P\_ and Pr. 

Initially, the party P\_ holds L, while Pr holds R. The execution of 77 with 
initial inputs L and R, denoted by 77(7, P), proceeds in rounds. In each round 
one player is active and sends messages to the other one. These messages can 
depend on his input (i.e., his initial state), his local randomness, and the messages 
that he received in earlier rounds. Additionally, the user of the protocol (or the 
adversary - in case the user is malicious) may interact with the protocol, i.e., he 
may receive messages from the players and send messages to them. For simplicity, 
we assume that messages that are sent by the user to the protocol are delivered 
to both parties P\_ and Pr. At the end of the protocol’s execution, the players 
Pl and Pr (resp.) may output a value L' and R' (resp.). These outputs may be 
viewed as the new internal state of the protocol. 

One natural way to describe the leakage of the computation (and memory) 
of such a protocol is to allow the adversary to adaptively pick at the begin- 
ning of each round a leakage function / and give /(state) to the adversary. 
Here, state contains the initial state of the active party, its local randomness 
and the messages sent and received during this round. Indeed, we allow the 
adversary to learn such leakages. To ease description, we consider however a 
stronger model, and use the concept of a leakage game introduced earlier in this 
section. More precisely, for player P x £ {P|_,Pr}, we denote the local random- 
ness that is used by P x as p x , and all the messages that are received or sent 
(including the messages from the user of the protocol) by M x . At any point in 
time, we allow the adversary A to play a A-leakage game against the leakage 
oracle I2((L, pi, Mi); (R, pr, Mr)). A technical problem may arise if A asks for 
leakages before sending regular messages to the players. In such a case parts of 
M x may be undefined, and for simplicity, we will set them to constant 0. For 
some initial state (L, R), we denote the output of A after this process with A 

(77(7, P) — » (L',R')). 

As we are interested in the continuous leakage setting, we will mostly consider 
an adversary that runs in many executions of A *=► (77(7, P) — > (L',R')). For 
the 7th execution of the protocol Z7(7* _1 , P® _1 ), we will write 

A *=» ( 77 ( 7 / \R l J ) -+ (7\ R 1 )) , 

where the current initial state of this round is (7® _1 , P* _1 ) and the new state of 
P L and P R will be (7%P‘). After A *5 (77(L i " 1 , P*- 1 ) -► (U,IV)), we assume 
that the players Pl and Pr erase their current state except for their new state L l 
and R 1 , respectively. For the ith execution of A £3 (77 (7* _1 , P* _1 ) — > (7®, P®)) , 
we let the adversary interact with the leakage oracle 1?((L® -1 , p\_, MQ; ( R l ~ 1 , ff R , 
Mp)). If A is a A- limited adversary, then we allow him to learn up to A bits from 
the oracle in each such execution. 
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2.2 Leakage-Resilient Storage 

A leakage-resilient storage (LRS) = (Encode, Decode) allows to store a secret in 
an “encoded form” such that even given leakage from the encoding no adversary 
learns information about the encoded values. A simple LRS for the independent 
leakage model can be based on two source extractors. More precisely, an LRS 
for the independent leakage model is defined for message space M. and encoding 
space £ X 1Z as follows: 

— Encode : M. — > £ x 1Z is a probabilistic, efficiently computable function and 

— Decode : £ x TZ — > M. is a deterministic, efficiently computable function such 
that for every S £ At we have Decode(Encode(5)) = S. 

An LRS is said to be (A, e)-secure, if for any S. S' £ A4 and any A-limited 
adversary A, we have 

A(Out(A, n(L,R))\ Out (A, f2(L',R'))) < e, 

where (L, R) := Encode(5) and ( L',R ') := Encode(S"). 

We consider a leakage-resilient storage scheme that allows to efficiently store 
elements S £ F m for some rri £ N. Namely, we propose = (Encode^™, 
Decode^’ 7 ") defined as follows: 

— Encode/’"'/, S') first selects L <— F" \ {(0")} at random, and then samples 
R <— F nxm such that L ■ R = S. It outputs ( L , R). 

— Decodep’ m (L, R) outputs L ■ R. 

The following lemma shows that is a secure LRS. The proof uses the fact 
that an inner product over a finite field is a two-source extractor (7128) and 
appears in the full version. 

Lemma 1 . Let m,n £ N with m < n and let F such that |F| = f?(n). For 
any 1/2 > <5 > 0,7 > 0 the LRS as defined above is (A ,e)-secure, with 
A = (1/2 — <J)nlog |F| — log 7 -1 and e = 2m(|F| m+1 ^ 2_Ttl5 + |F m | 7 ). 

The following is an instantiation of Lemma [D for concrete parameters. 

Corollary 1. Suppose |F| = Q{n) and m < n/ 20. Then, LRS is (0.3 • 
|F"| ,negl{n))- secure, for some negligible function negl. 

3 Leakage-Resilient Refreshing of LRS 

For a secret S and a leakage resilient storage ( P = (Encode, Decode) with mes- 
sage space A4, we develop a probabilistic protocol (£/, R r ) <— Refresh (L, R) that 
securely refreshes ( L,R ) <— Encode(S'), even when the adversary can continu- 
ously observe the computation from the refreshing process. The only additional 
assumption that we make is that the protocol has access to a simple leak-free 
source O of correlated randomness. 
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Initially, P\_ holds L and Pr holds R. At any point during the execution of 
the protocol, the adversary can interact with a leakage oracle and learn infor- 
mation about the internal state of P\_ and Pr. At the end the players output 
the “refreshed” encoding ( L',R '), i.e., the new state of the protocol. Notice that 
the only way in which the adversary can “interact” with the protocol is via the 
leakage oracle. 

For correctness, we require that Decode(L, R) = Decod e(L',R') Informally, 
for security, we require that no A-limited adversary can learn any significant 
information about S (for some parameter A £ N). We will define the security 
of the refreshing protocol using an indistinguishability notion. Intuitively, the 
definition says that for any two secrets S,S' £ M. the view (i.e., the leakage) 
resulting from the execution of the refreshing of secret S is statistically close to 
the view from the refreshing of secret S'. Before we formally define security of 
our refreshing, we consider the following experiment, which runs the refreshing 
protocol for £ rounds and lets the adversary play a leakage game in each round. 
For a protocol 17, an LRS <I>, a A-bounded adversary A, I £ N and S £ M, we 
have Exp (i7 S) {A, S, I): 

1. For a secret S, we generate the initial encoding as (7°. R°) <— Encode(S'). 

2. For i = 1 to £ run A against the ith round of the refreshing protocol: A 

(zr^ 1 ,#- 1 )-^,.#)). 

3. Return whatever A outputs. 

Wlog. we assume that A outputs just a single bit b £ {0, 1}. To simplify notation, 
we will sometimes omit to specify <I> in Exp^j^ {A, S, £) explicitly. We are now 
ready to define security of a refreshing protocol. 

Definition 1 (A (£, A, e)-refreshing protocol). For a LRS <? = (Encode, 
Decode) with message space A4, a refreshing protocol (Refresh,*?) is (£, A, e)- 
secure, if for every \-limited adversary A and any two secrets S,S' £ At , we 
have that A(Exp ( - Refresh ^(A5,£);Exp (Refresh ^(A5',£))<e. 

In the rest of this section, we construct a secure refreshing protocol for the 
LRS scheme = (Encode^’" 1 , Decode^’" 1 ) from Section EOI Our protocol can 
refresh an encoding ( L,R ) <— Encode^’" 1 (S') any polynomial number of times, 
and guarantees security for A being a constant fraction of the length of L and 
R (cf. Theorem Q] and Corollary 0 for the concrete parameters). To ease nota- 
tion, we often omit to specify <P£’ m when talking about the refreshing protocol 
(Refreshp’ m ,*?p’ m ) and just write Refresh. 

As outlined in the introduction, we assume that the players have access to 
a non-uniform source of randomness. More precisely, they may access an oracle 
O that samples pairs ( A,B ) £ F" x NonSing nxm (F) such that A ^ (0") and 
A ■ B = (0 m ). In each iteration the players will sample the oracle twice: once 
for refreshing the share of Pr (denote the sampled pair by (A, £?)), and once for 
refreshing the share of Pi (denote the sampled pair by (A, B)). The protocol is 
depicted on Fig. [3 To understand the main idea behind the protocol, the reader 
may initially disregard the checks (in Steps Q and 0J) that L and R’ have full 
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Protocol (L',R') <- Refresh^'” 1 (I/, H): 

Input ( L , R): L e F” is given to P\_ and R £ F" xm is given to Pr. 

Refreshing the share of Pr: 

1. If L does not have a full rank then the players abort. Let [A, B) <— O and give A 
to Pl and B to Pr. 

2. Player Pl generates a random non-singular matrix M € F" x " such that L-M — A 
and sends it to Pr. 

3. Player P R sets X ■- M ■ B and R' := R + X. 

Refreshing the share of Pl: 

4. If R' does not have a full rank then the players abort. Let [A, B) <— O and give A 
to Pl and B to Pr. 

5. Player Pr generates a random non-singular matrix M 6 iF nxn such that M R' = B 
and sends it to Pl. 

6. Player P L sets Y := A - M and L' ■— L + Y. 

Output: The players output [L' ,R'). 

The adversary plays a A-leakage game against: 

Q ((L, A, M, A, M) ; (P, B , M, B, Af)) 


Fig. 1 . Protocol Refresh;”’ 7 ”. The oracle O samples randomly pairs (A. B) 6 F” x 
MonSing" xra (F) such that A / (0 n ) and A - B = (0 m ). The text in the frame describes 
the leakage game played by the adversary. Note that sampling the random matrices in 
Steps H and 0 can be done efficiently. 


rank (these checks were introduced only to facilitate the proof and only occur 
with very small probability). The reader may also initially assume that m = 1 
(the case of m > 1 is a simple generalization of the m = 1 case). The main idea 
of our protocol is that first the players generate the value X £ F nxm such that 
L ■ X = (0 m ), and then in Steps 01 the player Pr sets R! := R+ X (note that, by 
simple linear algebra L-R! = L-(R + X) = L- R + L- X = L-R). Symmetrically, 
later, the players generate heF” such that Y ■ R' = (0 m ) and set (in Step 0 
L' = L + Y. By a similar reasoning as before we have L' ■ R' = L ■ R'{= L ■ R). 
The above analysis gives us the correctness of our protocol. 

Lemma 2 (Correctness of the refreshing). Assuming that the players Pl 
and Pr did not abort, we have for any S £ F m ; Decode,),!’ rn ( R ef res h ((' ’ m (S)) = S. 
We now state our main theorem which shows that the protocol Refresh,"’™ from 
Figure Q] satisfies Definition Q] In the full version of this paper, we show that 
our refreshing is secure even if the adversary has some (not necessarily short) 
auxiliary information about the encoding. 

Theorem 1 (Security of Refresh^’ m ). Let m/3 < n, n > 16 and feN. Let 
n,m and F be such that is (A ,e)-secure (for some A and e). The protocol 
Refresh/’™' is a (£, A/2 — 1 , e' j-refreshing protocol for an LRS m w ith e' := 
2t |F| m (3 |F| m e + m |F| _n_1 ). 

For the proof of this theorem, we will need to show that any adversary A that 
interacts for £ iterations with the refreshing experiment Exp Refresh (as given in 
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Definition QJ , will only gain a negligible (in n) amount of information about the 
encoded secret S. Notice that this in particular means that M’s interaction with 
the leakage oracle given in the frame of Figure H] will not provide the adversary 
with information on the encoded secret. More formally, we will show that for 
every (A/2 — l)-limited A and every S, S' we have: 

^(Exp Re f resh (»4, S, £); Exp Refresh (M, S',£)) < 2£ |F| m (3 |F| m e + m IFp- 1 ). (1) 

This will be proven using the standard technique called the “hybrid argument” 
by creating a sequence of “hybrid distributions”. We will show that the first dis- 
tribution in this sequence is statistically very close to Exp Refresh (A, S, £), while the 
latter is close to Exp Refresh (M, S' . £) . Moreover, each two consecutive distributions 
in the sequence will be statistically close. Hence, by applying the triangle inequal- 
ity multiple times, we will obtain that Exp Refresh (A, S, £) and Exp Refresh (M, S' ,1) 
are close. The proof of the theorem is deferred to the full version of this paper. 
Combining Theorem Q] with Corollary Q] we get the following. 

Corollary 2. Let n G N be the security parameter. Suppose |F| = Q(n) and 
let to = o(n). Then Refresh^’" 1 is a (£, 0.15 ■ nlog(|F|) — 1, negfZ(n))-refreshing 
protocol for the LRS m , where £ is a polynomial in n and negl(n) is some 
negligible function. 

4 Identification and Signature Schemes 

In an identification scheme ID a prover attempts to prove its identity to a 
verifier. For a security parameter k, ID consists out of three PPT algorithms 
ID = (KeyGerq'P, V): 

— ( pk , sk) *— KeyGen(l fc ): It outputs the public parameters of the scheme and 
a valid key pair. 

— (V(pk, sk),V(pk)): An interactive protocol in which V tries to convince V of 
its identity by using his secret key sk. The verifier V outputs either accept 
or reject. 

We require that ID is complete. This means that an honest prover will always 
be accepted by the verifier. The standard security definition of an identification 
scheme ID considers a polynomial-time adversary A that inputs the public key 
pk and interacts with the prover V(pk, sk) playing the role of a verifier. Then, 
A tries to impersonate V(pk, sk) by engaging in an interaction with V(pk). We 
say that the scheme is secure if every polynomial-time adversary A impersonates 
the prover with only negligible probability. 

We extend this standard security to incorporate leakage from the prover’s 
computation. To this end, we let the adversary take the role of V in the exe- 
cution of the protocol ( V(pk , sk).V(pk)) and allow him to obtain leakage from 
the prover’s execution. We denote a single execution of this process by A ^ 
(V(sk) —> sk'), where sk' may be the updated key. 
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Definition 2 (Security against Leakage and Impersonation Attacks (ID- 
LEAK security)). Let k £ N be the security parameter. An identification 
scheme ID = (KeyGerqP, V) is \{k)-ID-LEAK secure if for any PPT \{k)- 
limited adversary A it holds that the experiment below outputs 1 with probability 
at most negl(k): 

1. The challenger samples ( pk,sk ° ) <— KeyGen(l fe ) and gives pk to A. 

2. Repeat for i = 0 . . .poly(k) times: A ^ ( V(sk l ) — >• sk l+1 ), where in each 
execution the adversary can interact with the honest prover and gets up to 
A (k) bits about the current secret state sk l and the randomness that is used. 

3. A impersonates the prover and interacts with V(pk). IfV(pk) accepts, then 
output 1; otherwise output 0. 

Notice that the adversary is allowed to obtain A bits of information for each 
execution of the identification protocol. 

4.1 A Construction of a Leakage-Resilient Identification Protocol 

Our construction is based on the standard Okamoto identification scheme 
Let gi and g -2 be two generators of <G such that a = log 9l (g 2 ) is unknown. The 
secret key sk is equal to (aq . X 2 ) <— Z^ and the public key pk is g® 1 ■ g% 2 . 

1. V chooses (wi , W 2 ) <— Z^, computes a := gf 1 gf 2 , and sends a to V. 

2. V chooses c *— Z p and sends it to V. 

3. V computes z 1 := wi + cx\ and Z 2 := W 2 + cx 2 and sends ( z% , zf) to V. 

4. V accepts if and only if g’fi gf 2 = a • pk c . 

We next describe how to implement the Okamoto scheme such that it remains 
secure even if the computation of the prover is carried out on a leaky device. 
Verification is as in the standard Okamoto scheme, while the key generation 
and the computation of the prover is adjusted to protect against leakage at- 
tacks. More precisely, instead of using (xi,X 2 ) € Z £ as secret key, we store 
(L. (Ri , R. 2 )) <— EncodeJJ’ 2 (a;-i , X 2 ) and implement the computation of the prover 
as a two-party protocol run between P\_{L) and Pr(R-[ , Ra). To this end, we will 
use the fact that the Okamoto identification protocol only requires to compute 
a linear function of the encoded secret key. The protocol is given in Figure |21 
Finally, we will combine our identification protocol with our protocol for re- 
freshing to construct an identification scheme Oka = (KeyGen, V, V, Refresh^’ 2 ) 
that is ID-LEAK secure. More precisely, in the ith execution of {V(pk, ( L,R )), 
V(pk)) after Step 0 in Figure El we execute (L l+1 , R l+i ) <— Refresh^ 2 (L l , R l ) 
and set the prover’s secret key for the next round to sk l+[ := (L l+1 , R l+1 ). No- 
tice that in such a case, we include into the leakage oracle from the figure the 
variables that are used by the refreshing and let the adversary interact in each 
round with the following leakage oracle: 

Q (( L\ U, Z, A, M, A, M) ; (#*, W, A, M, A, M)j . 
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Key generation KeyGenfl fc ): 

Sample (p,G) <— G(l fc ), generators gi,gi <— G, S = ( xi,X2 ) <— 
( L,R ) <— Encode^ 2 (5). Set sk = [L,R) and pk = {p,gi,g2,h := g^g^ 2 ). 

The identification protocol (V{pk, (L, R)),V(pk)) 

Input for prover (L, R): L is given to P\_ and R is given to Pr. 


Prover V(pk, (L, R)): 

1. Pr samples (Wi,W 2 ) <- Zj*, computes U := 
g? 1 0 g'ff 2 and sets W := (Wi, Wj). The vec- 
tor U is sent to Pi (0 is component- wise mul- 
tiplication of vectors) . 

2. P L computes V = U L and a = ]li The value 


4. Pr computes the n x 2 matrix Z — W + cR 
and sends it to Pi_. 

5. P L computes (21, za) = L Z. The values (21, 22) 


At any time. 

, the adversary ca 

n play a A- 

leakage game 

against: Q((L,U,Z)-, ( R,W )). 

We set Z = 

0 for leakage que: 

ries that are 

asked before c 

1 is fixed. 



6. Accept iff gl 2 gp — ah c . 


Fig. 2. The key generation algorithm and the protocol ( V(pk , (L. R)),V(pk)) for iden- 
tification. ( V(pk , (L. R)), V(pk)) is an interactive protocol between a prover V and a 
verifier V. 


It is easy to see that the above protocol satisfies the completeness property. 
This is due to the correctness of the refreshing protocol, and the fact that mes- 
sages that are exchanged by the parties V and V in Figure El are as in the original 
Okamoto protocol. The security of our protocol Oka is proven in the following 
theorem. 

Theorem 2. Oka = (KeyGen, V, V, Refresh^ 2 ) is ((0.15 • n - 3)logp - 1 )-ID- 
LEAK secure, if the DL assumption holds. 

The proof follows from the following three observations: 

1. We first consider a single execution of the protocol (V(pk,(L,R)),V(pk)) 
from Figure El and prove a simple property in the information theoretic set- 
ting. Namely, we show that the there exists an (unbounded) simulator with 
access to a leakage oracle Q(L*,R*) can simulate A(pk)'s view in A A 
(' P(L , R)) — » ( L , R)). In this step the analysis neglects the leakage from the 
refreshing process as we consider only a single run of the protocol. 
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2. We next consider the setting where unbounded A runs in many iterations of 
A *=> (V(L l . B 1 )) — > (L l+1 , B l+1 )), where we also take into account that the 
refreshing of ( L l ,R l ) leaks information. We will combine our results from 
the last section with the simulator defined inQto show that any unbounded 
adversary will only learn a negligible amount of information about the secret 
key. 

3. Finally, we will argue why this proves the ID-Leak security of our scheme. To 
this end, we rely on a recent result of Dodis et al. j2J, which shows security 
of the original Okamoto scheme for keys sampled from a high average min- 
entropy source. 

Leakage Resilient Signatures It is well known fact that the Okamoto iden- 
tification protocol can be turned into a signature scheme using the Fiat-Shamir 
heuristic. Similarly, we can turn the scheme from Figure |2| into a leakage resilient 
signature scheme which can be proven secure against continuous leakage attacks 
in the random oracle model under the DL assumption. 

5 Leakage Resilient Encryption 

In this section, we construct an efficient encryption schemes that is secure against 
continuous leakage attacks. Our construction is based on a variant of the ElGa- 
mal cryptosystem and is proven secure against adaptive chosen message and 
leakage attacks (CCLA2) in the Random Oracle model. 


5.1 Definitions 

For security parameter k a public-key encryption scheme PKE = (KeyGen, Encr, 
Deer) consists of three PPT algorithms. 

— ( pk , sk) *— KeyGen (l fc ): It outputs a valid public/secret key pair. 

— c «— Encr(pfc, m): That is, a probabilistic algorithm that on input some 
message m and the public key pk outputs a ciphertext c = Encr(pfc, m). 

— m = Decr(s&, c): The decryption algorithm takes as input the secret key sk 
and a ciphertext c such that for any m we have m = Deer (sk. Encr (pk. m)). 

To define security we allow the adversary to query the decryption oracle on some 
chosen ciphertext c, and additionally allow him to obtain a bounded amount of 
leakage from the decryption process. This may be repeated many times, hence, 
eventually the adversary may learn a large amount of information. Formally, 
we define security against adaptive chosen ciphertext and leakage attacks (IND- 
CCLA2 security) as follows. 

Definition 3 (Security against Chosen Ciphertext Leakage Attacks 
(CCLA2-secure)). Let k € N be the security parameter. A public-key encryp- 
tion scheme PKE = (KeyGen, Encr, Deer) is A (k)-IND-CCLA2 secure if for any 
PPT A(fc) -limited adversary A the probability that the experiment below outputs 
1 is at most 1/2 + negl(k). 
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1. Sample b <— {0, 1} and ( pk , sk ) <— KeyGen(l fc ). Give pk to A. 

2. Repeat until A(l k ) outputs (mo, m\): A(l k ) (Decr(sfc,c) — > sk'), where for 
each decryption query c the adversary additionally retrieves up to A (k) bits 
about the current secret state sk. Set the key for the next round to sk := sk . 

3. The challenger computes c* <— Encr (pk,mt,) and gives it to A. 

4- Repeat until A(l k ) outputs b’ : A(l fc ) ±5 (Decr(sft,c) — > sk'), where for each 
decryption query c ^ c* the adversary additionally retrieves up to A (k) bits 
about the current secret state sk. Set the key for the next round to sk := sk' . 

5. If b = b' then output 1; otherwise output 0. 

The weaker notion of CCLAl-security can be obtained by omitting Step El in the 
experiment above. 

5.2 Efficient IND-CCLA2-secure Encryption 

An important tool of our encryption scheme is a simulation-sound (SS) NIZK. 
Informally, a NIZK proof system is said to be simulation sound, if any adver- 
sary has negligible advantage in breaking soundness (i.e., forging an accepting 
proof for an invalid statement), even after seeing a bounded number of proofs 
for (in)valid statements. We refer the reader to fril2Dj for the formal definition of 
NIZKs and simulation soundness. SS-NIZKs can be instantiated in the common 
random string model using the Groth-Sahai proof system [ I and the techniques 
of P2j- Unfortunately, this results into an impractical scheme. In contrast, in the 
random oracle model using the Fiat-Shamir heuristic na simulation soundness 
can be achieved efficiently. In particular, it has been proven in [T] that the stan- 
dard Chaum-Pedersen protocol 0 for proving equivalence of discrete logarithms 
can be turned into a SS-NIZK using the Fiat-Shamir heuristic. Let in the fol- 
lowing (Prov, Ver) denote such a non-interactive proof system for proving the 
equivalence of discrete logarithms. 

Our scheme can be viewed as a leakage-resilient implementation of the fol- 
lowing simple variant of the ElGamal encryption scheme using the above sim- 
ulation sound NIZK. Let gx,g% be two generators of a prime order p group G. 
Let sk = (xi,xf) S Zp be the secret key and pk = (gi,g 2 ,h = gf 1 ■ g% 2 ) the 
public key. To encrypt a message m £ G, pick uniformly r *— Z p and compute 
c = (u := g\,v := g^,w := h r m, n), where n := Prov(u, v, r) is a NIZK proof 
of log ffi (u) = log g2 (v). To decrypt c = («, v, w, n), verify the NIZK, and if it 
accepts, output w ■ (u~ Xl ■ v~ X2 ). 

It can easily be shown that this scheme achieves standard CCA2 security in 
the RO model. In this section, we will show how to implement this scheme such 
that it remains secure even if the decryption continuously leaks information. 
Similar to our transformation of the Okamoto scheme, we store the secret key 
(. xi,X 2 ) as ( L,R ) <— EncodeJ/ 2 (a:i , X 2 ) and implement the computation of the 
decryption process as a two-party protocol run between P\_(L) and Pr(R). The 
protocol for key generation and decryption is given in Figure 01 Finally, we will 
combine the protocol from Figure 0 with our refreshing protocol from Sectional 
to construct an encryption scheme PKE = (KeyGen, Encr, Deer, Refresh^’ 2 ) that 
is CCLA2 secure. 
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Key generation KeyGen(1 fc ): 

Let (p, G) <— G(l*), gi,g2 <— G, S = (xi,xz) *— if, and (L,R) <— Encode^ 2 (S'). 
Let sk = (L, R) and pk = (p, gi,g2, h := 

Encryption Encr(pk, m) : 

Sample r <— uniformly at random and compute c = (u := gl,v := 
<?2,w := h r m). Run the NIZK prover Pro v(u,v,r) to obtain a proof 7r for 
log 9l (u) = log 92 (u). Return (c,7r). 

The protocol for decryption Decrf.sfc, c) : 

Input for decryption sk := (L, R): L is given to P\_ and R is given to Pr. 

Both parties obtain c and parse it as (u, v, w, n). If Ver(u, v, 7r) = reject then abort; 
otherwise proceed as follows: 

1 . Pr computes the vector U := u Rl 0 v R * . U is sent to F\_ (0 denotes component- 
wise multiplication of vectors) . 

2. Pl computes V = U~ L and outputs tulli !»• 


Notice that we can omit the leakage from the verification of the NIZK as it 
only includes publicly known values. At any time, the adversary can play a 
A-leakage game against: Q((L,U) ; R). 


Fig. 3. Our public-key encryption scheme PKE 


The security analysis follows the outline given in the last section. We first show 
that the leakage from a single decryption query can be simulated in a perfect way 
with just access to a leakage oracle f2(L*,R*). For this simulation to go through, 
we require that an adversary can only observe leakage from operations that 
involve the secret key, if the decryption oracle is queried on a valid ciphertexts. 
We call a ciphertext valid , if log Sl (u) = log 92 (v ) holds. Notice that this is also 
the reason why we need NIZKs and cannot use the standard techniques to get 
CCA1/2 security based on hash proof systems. In the next step, we show that 
even when the adversary can continuously obtain leakage from the decryption, he 
will not be able to learn information about the encoded secret key. To this end, 
we will combine the scheme from FigureEUwith our refreshing protocol Refresh^’ 2 . 
In the following theorem, we show IND-CCLA2 security of our scheme. 
Theorem 3. PKE is (0.15- n log p — 1 ) -IND- CCLA2 secure in the random oracle 
model, if the DDH assumption holds. 

6 A General Paradigm for Leakage-Resilient 
Cryptographic Schemes 

In the last sections, we proposed leakage-resilient implementations of standard 
cryptographic schemes. Namely, we showed how to implement the standard 
Okamoto identification scheme and a variant of the ElGamal encryption scheme 
such that they satisfy strong security guarantees even under continuous leakage 
attacks. The security proof of both schemes relied on very similar observations, 
namely: 
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1. The underlying cryptographic scheme (e.g., the Okamoto scheme or the El- 
Gamal variant) computes only a linear function of the secret key. Notice that 
in the examples of the last section the linear function was computed in the 
exponen. This is not a problem as long as the computation can be carried 
out efficiently. This was indeed the case for the schemes of the last sections. 

2. The secret key is hidden information theoretically even given the protocol 
transcript that an adversary obtains when interacting with the underlying 
cryptographic scheme. In the protocols from the last section, for instance, 
the secret key ( £ 1 , 2 : 2 ) was information theoretically hidden even given the 
corresponding public key. Furthermore, for the Okamoto scheme this holds 
even given (a, z\, Z 2 ), which were sent by the prover to the verifier. 

Various other cryptographic schemes satisfy the above properties, and hence can 
be made secure against continuous leakage attacks. For instance, the Pedersen 
commitment scheme m, which is information-theoretically hiding and at the 
same time only requires to compute a linear function of its secrets 0 Another 
example of the above paradigm is a variant of the linear Cramer-Shoup cryp- 
tosystem as presented in ED.- Notice that as in the encryption scheme from 
Section |J3 this requires to use as a check for the validity of the ciphertexts a 
NIZK proof system. One can instantiate such a NIZK in the standard model us- 
ing the Groth-Sahai proof system [T^j. This gives us an efficient CCLAl-secure 
public-key encryption scheme in the standard model, and a rather inefficient 
CCLA2-secure scheme using the extensions of m- We suggest that many other 
standard cryptographic schemes can be proven secure following the ideas that 
were presented in this paper. 
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Abstract. We consider general program obfuscation mechanisms using 
“somewhat trusted” hardware devices, with the goal of minimizing the 
usage of the hardware, its complexity, and the required trust. Specifically, 
our solution has the following properties: 

(i) The obfuscation remains secure even if all the hardware devices in 
use are leaky. That is, the adversary can obtain the result of evaluating 
any function on the local state of the device, as long as this function has 
short output. In addition the adversary also controls the communication 
between the devices. 

(ii) The number of hardware devices used in an obfuscation and the 
amount of work they perform are polynomial in the security parameter 
independently of the obfuscated function’s complexity. 

(iii) A (universal) set of hardware components, owned by the user, is 
initialized only once and from that point on can be used with multiple 
“software-based” obfuscations sent by different vendors. 


1 Introduction 

Program obfuscation is the process of making a program unintelligible while pre- 
serving its functionality. (For example, we may want to publish an encryption 
program that allows anyone to encrypt messages without giving away the secret 
key.) The goal of general program obfuscation is to devise a generic transforma- 
tion that can be used to obfuscate any arbitrary input program. 

It is known from prior work that general program obfuscation is possible with 
the help of a completely trusted hardware device (e.g., |71 I2%l ITH] 1 . On the other 
hand, Barak et al. proved that software-only general program obfuscation is im- 
possible, even for a very weak notion of obfuscation 0 . In this work we consider 
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an intermediate setting, where we can use hardware devices but these devices are 
not completely trusted. Specifically, we consider using leaky hardware devices, 
where an adversary controlling the devices is able to learn some information 
about their secret state, but not all of it. 

We observe that the impossibility result of Barak et al. implies that hardware- 
assisted obfuscation using a single leaky device is also impossible, even if the 
hardware device leaks only a single bit (but this bit can be an arbitrary function 
of the device’s state). See Section II .31 Consequently, we consider a model in 
which several hardware devices are used, where each device can be locally leaky 
but the adversary cannot obtain leakage from the global state of all the devices 
together. Importantly, in addition to the leakage from the separate devices, our 
model also gives the adversary full control over the communication between 
them. 

The outline of our solution is as follows: Starting from any hardware-assisted 
obfuscation solution that uses a completely trusted device (e.g., we first 

transform that device into a system that resists leakage in the Micali-Reyzin 
model of “only computation leaks” (OCL) |2Hj (or actually in a slightly aug- 
mented OCL model). In principle, this can be done using OCL-compilers from 
the literature (23 EJ E2 (but see discussion in Section 11 .41 about properties of 
these compilers). The result is a system that emulates the functionality of the 
original trusted device; however, now the system is made of several components 
and can resist leakage from each of the components separately. 

This still does not solve our problem since the system that we get from OCL- 
compilers only resists leakage if the different components can interact with each 
other over secret and authenticated channels (see discussion in Section II. 31) . 
We therefore show how to realize secure communication channels over inse- 
cure networks in a leakage-resilient manner. This construction, which uses non- 
committing encryption [E| and information theoretic MACs (e.g., (23 Ej), is the 
main technical novelty in the current work. See Section II .41 

The transformation above provides an adequate level of security, but it is not 
as efficient and flexible as one would want. For one thing, the OCL-compilers in 
the literature (23 El I22J produce systems with roughly as many components as 
there are gates in the underlying trusted hardware device. We show that using 
fully homomorphic encryption (23 El and universal arguments 0 we can get a 
system where the number of components depends only on the security parameter 
and is (almost) independent of the complexity of the trusted hardware device 
that we are emulating. See Section 11.11 

Another drawback of the solution above is that it requires a new set of hard- 
ware devices for every program that we want to obfuscate. Instead, we would 
like to have just one set of devices, which are initialized once and thereafter can 
be used to obfuscate many programs. We show how to achieve such a reusable 
obfuscation system using a simple trick based on CCA-secure encryption, see 
Section 11.21 

We now proceed to provide more details on the various components of our 
solution. 
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1.1 Minimally Hardware- Assisted Obfuscation 

Forgetting for the moment about leakage-resilience, we begin by describing a 
hardware-assisted obfuscating mechanism where the amount of work done by 
the trusted hardware is (almost) independent of the complexity of the program 
being obfuscated. The basic idea is folklore: The obfuscator encrypts the program 
/ using a fully homomorphic encryption scheme fUJ EBJ, gives the encrypted 
program to the evaluator and installs the decryption key in the trusted hardware 
device. Then, the evaluator can evaluate the program homomorphically on inputs 
of its choice and ask the device to decrypt. 

Of course, the above does not quite work as is, since the hardware device can 
be used for unrestricted decryption (so in particular it can be used to decrypt the 
function / itself). To solve this, we make the evaluator prove to the device that 
the ciphertext to be decrypted was indeed computed by applying the homomor- 
phic evaluation procedure on the encrypted program and some input. Note that 
to this end we must add the encrypted program itself or a short hash of it to the 
device (so as to make “the encrypted program” a well-defined quantity). To keep 
the device from doing a lot of work, the proof should be verifiable much more 
efficiently than the computation itself, e.g., using the “universal arguments” of 
Barak and Goldreich ^j. We formalize this idea and show that this obfuscation 
scheme satisfies a strong notion of simulation based obfuscation. It can even be 
implemented using stateless hardware with no source of internal randomness (so 
it is secure against concurrent executions and reset attacks). See Section El for 
more details. 


1.2 Obfuscation Using Universal Hardware Devices 

A side-effect of the above solution is that the trusted hardware device must be 
specialized for the particular program that we want to protect (e.g., by hard- 
wiring in it a hash of the encrypted program), so that it has a well-defined 
assertion to verify before decryption. Instead, we would like the end user to use 
a single universal hardware device to run all the obfuscated programs that it 
receives (possibly from different vendors). 

We obtain this goal using a surprisingly simple mechanism: The trusted hard- 
ware device is installed with a secret decryption key of a CCA-secure cryptosys- 
tem, whose public key is known to all vendors. Obfuscation is done as before, 
except that the homomorphic decryption key and the hash of the encrypted 
program are encrypted using the CCA-secure public key and appended to the 
obfuscation. This results in a universal (or “sendable”) obfuscation, the device 
is only initialized once and then everyone can use it to obfuscate their programs. 
See more details in Section E3 

1.3 Dealing with Leaky Hardware 

The more fundamental problem with the hardware-assisted obfuscation is that 
the hardware must be fully leak-free and can only provide security as long as it is 
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accessed as a black box. This assumption is not true in many deployments, so we 
replace it by the weaker assumption that our hardware components are “honest- 
but-leaky”. Namely, in our model an obfuscated program consists of software 
that is entirely in the clear, combined with some leaky hardware components. 
Our goal is therefore to design an obfuscator that transforms any circuit with 
secrets into a system of software and hardware components that achieves strong 
black-box obfuscation even if the components can leak. 

We remark that the impossibility of universal obfuscation 0 implies that 
more than one hardware component is necessary. To see this, observe that if we 
had a single hardware component that resists (even one-bit) arbitrary leakage 
then we immediately get a no-hardware obfuscation in the sense of Barak et al. 
|0: The obfuscated program consists of our software and a full description of 
the hardware component (including all the embedded secrets). This must be a 
good obfuscation since any predicate that we can evaluate on this description 
can be seen as a one-bit leakage function evaluated on the state of the hardware 
component. If the device was resilient to arbitrary one-bit leakage, it would mean 
that any such leakage/predicate can be computed by a simulator that only has 
black-box access to the function; hence, we have a proper obfuscator. 


The model of leaky distributed systems. Given the impossibility result for a 
single leaky hardware component, we concentrate on solutions that use multiple 
components. Namely, we have (polynomially) many hardware components, all of 
which are leaky. The adversary in our model can freely choose the inputs to the 
hardware components and obtain leakage by repeatedly choosing one component 
at a time and evaluating an arbitrary (polynomial-size) leakage function on the 
current state and randomness of that component. We place no restriction on the 
order or the number of times that components can be chosen to leak, so long as 
the total rate of leakage from each component is not too high. 

In more detail, we consider continual leakage, where the lifetime of the system 
is partitioned into time units and within each time unit we have some bound on 
the number of leakage bits that the adversary can ask for. The components are 
running a randomized refresh protocol at the end of each time unit and erase 
their previous stateQ A unique feature of our model is that the adversary sees 
and has complete control over all the communication between these components 
(including the communication needed for the refresh protocol). We term our 
leakage model the leaky distributed system model (LDS), indeed this is just the 
standard model of a distributed system with adversarially controlled communi- 
cation, when we add to it the fact that the individual parties are leaky. 

We stress that this model seems realistic: the different components can be 
implemented by physically (and even geographically) separated machines, amply 
justifying the assumption on separate leakage. We also note that a similar (but 
somewhat weaker) model was suggested recently by Akavia et al. Q, in the 
context of leakage-resilient encryption. 


This is reminiscent to the proactive security literature |M()I [Til . 
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Only- computation-leaks vs. leaky distributed systems. Our leakage model shares 
some similarities to the “only computation leaks” (OCL) model, in that the ad- 
versary can get leakage from different parts of the global state separately but 
not from the entire global state at once. These two models are nonetheless fun- 
damentally different, for two reasons. One difference is that in the OCL the 
different components “interact” directly by writing to and reading from mem- 
ory, and communication is neither controlled by nor visible to the adversary. In 
the LDS model, on the other hand, the adversary sees and controls the entire 
communication. Another difference is that in the OCL model, the adversary can 
only get leakage from the components in the order in which they perform the 
computation, whereas in LDS model, it can get leakage in any order. 

An intermediate model, that we use as a technical tool in this work, is where 
the adversary can get leakage from the components in any order (as in the LDS 
model), but the components communicate securely as in the OCL model. For 
lack of a better name, we call this intermediate model the OCL + model. Clearly, 
resilience to leakage in the model of leaky distributed systems is strictly harder 
than in the OCL or OCL + models and every solution secure in our model will 
automatically be secure also in the two weaker models. 

1.4 From OCL + to LDS 

We present a transformation that takes any circuit secure in the OCL + model 
and converts it into a system of components that maintains the functionality 
and is secure in the model of leaky distributed systems. Recently, Goldwasser- 
Rothblum |22| constructed a universal compiler, which transforms any circuit 
into one that is secure in the OCL + model. (Unlike previous compilers |T71E?lE7i . 
the |22I compiler does not require a leak- free hardware component.) Combining 
the compiler with our transformation, we obtain a compiler that takes any cir- 
cuit and produces a system of components with the same functionality that is 
secure in the LDS model. The number of components in the resulting system 
is essentially the size of the original circuit, assuming we use the underlying 
Goldwasser-Rothblum compiler. However, as we explain in Section II .fll below, 
we can reduce the number of components to be independent of the circuit size, 
by first applying the hardware-assisted obfuscator from Section 11.11 

The main gap between the OCL + model and our model of leaky distributed 
systems, is that in the former, communication between the components is com- 
pletely secure, whereas in the latter it is adversarially controlled. In the heart of 
our transformation stands an implementation of leakage-tolerant communication 
channels that bridges the above gap, based on the following tools: 

Non- Committing Encryption. Our main technical observation is that secret 
communication in the face of leakage can be obtained very simply using non- 
committing encryption DEI Recall that non-committing encryption is a (poten- 
tially interactive) encryption scheme such that a simulator can generate a fake 
transcript, which can later be “opened” as either an encryption of zero or as 
an encryption of one. This holds even when the simulator needs to generate 
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the randomness of both the sender and the receiver. In our context, the dis- 
tributed components use non-committing encryption to preserve the privacy of 
their messages. The observation is that non-committing encryption can be used 
to implement “leakage resilient channels”, in the sense that any leakage query 
on the state of the communicating parties could be transformed into a leakage 
query on the underlying message alone (see Section 0 . 

Leakage-resilient MACs. In addition to secrecy, we also need to ensure authen- 
ticity of the communication between the components. We observe that this can 
be done easily using information-theoretic MAC schemes based on universal- 
hashing (22 l> ■ Roughly, each pair of components will maintain rolling MAC 
keys that are only used 0(1) times. To authenticate a message, they will use the 
MAC key sent with the prior message and will send a new MAC key to be used 
for the next message. (We use a short MAC key to authenticate a much longer 
message, so the additional bandwidth needed for sending future MAC keys is 
tolerable.) Since these MAC schemes offer information-theoretic security, it is 
very easy to prove that they can also tolerate bounded leakage. Authenticating 
the communication assures that secrecy is kept (e.g. the adversary cannot have a 
component encrypt a secret message under an unauthentic key) and also ensures 
that the components remain “synchronized” (see Section 0|). 

1.5 The End-Result: Obfuscation with Leaky Hardware 

To obfuscate a program, we first apply the hardware-assisted obfuscator from 
Section II .11 thus obtaining a universal hardware device, whose size and amount 
of computation (per input) depend only on the security parameter, and which 
can be used to evaluate obfuscated programs from various vendors. We next ap- 
ply the Goldwasser-Rothblum compiler E2, together with our transformation 
from Section I I .41 to the code of the hardware device, resulting in a system of 
components that can still be used for obfuscation in exactly the same way (as 
the universal device), but is now guaranteed to remain secure even if the com- 
ponents are leaky and even if the communication between them is adversarially 
controlled. 

To obfuscate a program / using this system, the obfuscator generates keys for 
the FHE scheme and encrypts / under these keys. In addition, it uses the public 
CCA2 key generated with the original universal device to encrypt the secret FHE 
key together with a hash of the encrypted program. The encrypted program and 
parameters are then sent to the user. Evaluating the obfuscated program consists 
of running the FHE evaluation procedure and then interacting with the system 
of components (in a universal argument) to decrypt the resulting ciphertext. The 
system verifies the proof in a leakage-resilient manner and returns the decrypted 
result. 

We remark that our transformation from any circuit/device to a leaky system 
of components, as well as our transformation from circuit-specific obfuscation 
schemes to general-purpose ones, are generic and can be applied to any device- 
assisted obfuscation scheme, such as the schemes of P3 ESI ■ When doing so, the 
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end result will inherit the properties of the underlying scheme. In particular, 
when instantiated with [El EH , the amount of work performed by the devices is 
proportional to the size of the entire computation (the hardware used for each 
gate in the obfuscated circuit). 


1.6 Related Work 

Research on formal notions of obfuscation essentially started with the work 
of Barak et. al. 0, who proved that software-only obfuscation is impossible 
in general. This was followed by other negative results 1201 and some posi- 
tive results for obfuscating very simple classes of functions (e.g., point func- 
tions) EH HU EH • The sweeping negative results for software-only obfuscation 
motivated researchers to consider relaxed notions where some interesting special 
cases can be obfuscated (e.g., EH E3 El)- 

In contrast, the early works of Best Ej, Kent m and Goldreich and Ostro- 
vsky m addressed the software-protection problem using a physically shielded 
full-blown CPU. The work of Goyal et. al. EH showed that the same can be 
achieved also with small stateless hardware tokens. These solutions only con- 
sider perfectly opaque hardware. Furthermore, in these works the amount of 
work performed by the secure hardware device during the evaluation of one 
input is proportional to the size of the entire computation 0 

The work by Goldwasser et. al. m on one-time programs shows that pro- 
grams can be obfuscated using very simple hardware devices that do very little 
work. However, their resulting obfuscated program can be rim only once. 

Our focus on obfuscation with leaky hardware follows a large corpus of recent 
works addressing leakage-resilience cryptography (see, e.g., PUJEj and references 
within). In particular, our construction uses results of Goldwasser and Roth- 
blum Ol E2|, which show how to convert circuits into ones that are secure in 
only computation leaks model of Micali and Reyzin m (or even in the stronger 
OCL + model described above). 

Our construction of leakage-tolerant secure channels and the relation between 
leakage-tolerance and adaptive security were further investigated and generalized 
in pm, who consider general universally composable leaky protocols. 

Organization In Section El we construct a hardware-assisted obfuscation scheme 
where the amount of work done by the hardware is minimal (polynomial in the 
security parameter). In Section 01 we show howto transform any “circuit-specific” 
scheme, such as the one constructed in Section El to a “general-purpose” scheme 
where the same hardware device can be used for multiple obfuscated programs. 
In Section 0| we show how to transform any hardware-assisted obfuscation, such 
as the above, to a leakage-resilient scheme. The full details and proofs as well as 
some of the secondary results can be found in the full version of this paper 0 . 


2 On the other hand, the solutions in [19ll2hj can be based on one-way functions, while 
our solution requires stronger tools such as FHE and universal arguments. 
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2 Hardware Assisted Obfuscation 

In this section we construct a hardware assisted obfuscation scheme. The basic 
model and definitions are presented in Section I2.il An overview of the construc- 
tion is presented in Section 12.21 The detailed construction and its analysis can 
be found in the full version of this paper [OJ. 

2.1 The Model 

In the setting of hardware assisted obfuscation, a circuit C (taken from a family 
C n of poly-size circuits) is obfuscated in two stages. First, the PPT obfuscation 
algorithm O is applied to C, producing the “software part” of the obfuscation 
obf, together with (secret) parameters params for device initialization. At the 
second stage, the hardware device HW is initialized with params. The evalu- 
ator is given obf and black-box access to the initialized device HW params . In 
our security definition, we consider a setting in which the adversary is given 
t = poly (n) independent obfuscations of t circuits, where obfuscation i consists 
of a corresponding device HW params . and obfuscated data obfy In this model each 
obfuscated circuit may have its own specialized device. 

Definition 2.1 (Circuit-specific hardware-assisted obfuscation (CSHO)). 
( O , HW, Eval) is a CSHO scheme for a circuit ensemble C = {C n }, if it satisfies: 

— Functional Correctness. Eval is a poly-time oracle aided TM , such that 
for any n e N, C £ C n and input v for C: Eval HWparams (ll c l,obf, v) = C («), 
where (obf, params) <— O ( C ). 

— Circuit-Independent Efficiency. The size of HW params is poly(n), in- 
dependently of \C\, where (params, obf) <— 0(C). Also, during each run of 

Eval™— (ilc| )0bf)W ) 

on any input v, the total amount of work performed 
by HW params is poly(n), independently of \C\. 

— Polynomial Slowdown. (!) is a PPT algorithm. In particular, there is a 
polynomial q, such that for any n £ N and C £ C n , |obf| < q(\C\). 

— t-Composable Virtual Black Box (VBB). Any adversary, given t ob- 
fuscations, can be simulated, given oracle access to the corresponding circuits. 
That is, for any PPT A (with arbitrary output) there is a PPT S such that: 

|^HW 1 ,...,HW t ( ^ obfl) . . . )0bft )} (z, l n ,|Cl|,..., |C t |)} , 

where C\...Ct £ C n , z £ {0, l}P ol y(«) i s an arbitrary auxiliary input, HWj = 
HW params . and (obf^, pararnsj <— O (Cj). 

We say that the scheme is stand-alone VBB if it is 1-composable. We say 
that the scheme is composable if its t-composable for any polynomial t. 

While previous solutions [EH I2Z1 satisfy the correctness and security require- 
ments of Definition 12. II they require that the total amount of work performed 
by the device for a single evaluation is proportional to |C|, the size of the en- 
tire circuit. Namely, they do not achieve circuit-independent efficiency. In this 
section we show that how to construct schemes which do achieve this feature, 
based on a different approach. The main result is given by Theorem 12.11 
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Theorem 2.1. Assuming fully homomorphic encryption, there exists a compos- 
able CSHO scheme for all polynomial size circuit ensembles C = {C n }. 


2.2 The Construction 

We next overview the main aspects of the constructions. 

The main ideas. Informally, given a FHE scheme £, we obfuscate a circuit C by 
sampling (sk, pk) <— Gen (1"), encrypting C = Enc p k (C) and creating a “proof- 
checking decryption device” HW = HW s k which is meant to decrypt “proper 
evaluations”. The obfuscation consists of obf = (C, pk) and oracle access to HW. 
To evaluate the obfuscation on input v, compute e = Eval p k(C\ U s . v ), where 
U SjV is a universal circuit that given a circuit C of size s outputs C (w)@ Then, 
“prove” to HW that indeed e = Eval p k(C l , U a<v ). In case HW is “convinced”, it 
decrypts C (v) = Dec s k (e) and returns the result to the evaluator. Intuitively, 
the semantic security of £ and the soundness of the proof system in use should 
prevent the evaluator from learning anything about the original circuit C other 
than its input-output behavior. 

We briefly point out the main technical issues that arise when applying the 
above approach and the way we deal with these issues. 

— Minimizing the device’s workload. Proving the validity of an evalu- 
ated ciphertext e w.r.t. an encrypted circuit C amounts to proving that a 
poly (| CD-long computation was performed correctly. However, the running 
time of our device should be independent of \C\ and hence cannot process 
such a computation. In fact, it cannot even process the assertion itself as it 
includes the poly(|C|)-long encryption C. To overcome this, we use univer- 
sal arguments (UA’s) that also have a proof of knowledge property |I]and 
collision resistant hashing. Specifically, the device only stores a (short) hash 
h(C) and the evaluator proves it “knows” an encrypted circuit & with the 
same hash and that the evaluated ciphertext is the result of applying Eval p k 
to C' and the universal circuit U a>v (corresponding to some input w). 

— Using a stateless device with no fresh randomness. Our device can 
be implemented as a boolean circuit that need not maintain a state between 
evaluator calls nor generate fresh randomness; in particular, it should with- 
stand concurrent proof attempts and “reset attacks” (as termed by [OJ). To 
enable this, we use similar techniques to those in j5j . Informally, these tech- 
niques allow transforming the UA protocol we use to a “resettable” protocol, 
where the verifier’s randomness is fixed to some pseudo random function. □ 

3 Abusing notation, we denote by Eval both evaluation algorithms Eval HWparams (obf, v) 
and Evalpk- To distinguish between the two, we always denote the evaluation algo- 
rithm of the FHE scheme by Evalpk ■ 

4 The mentioned techniques essentially transform any public-coin constant-round pro- 
tocol to a “resettable” one. 
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3 General-Purpose (Sendable) Obfuscation 

In this section we show how to convert any circuit- specific obfuscation scheme, 
such as the one in Section E3 to a scheme which uses a single universal (general- 
purpose) hardware device. The basic model and definitions are presented in 
Section I3.il the transformation is presented in Section 13.21 and analyzed in the 
full version of this paper |2j . 

3.1 The Model 

In circuit-specific obfuscation, the obfuscator gives the user a device that depends 
on the obfuscated circuit C. More precisely, the “specifying parameters” params, 
produced by O (C) , depend on C and are hardwired into the device before it is 
sent to the user. Thus, each device supports only a single obfuscated circuit. 

We consider a more natural setting in which different parties can send obfus- 
cations to each other online, without the need of exchanging devices per each 
obfuscation. Informally, in this setting we assume that a trusted manufacturer 
creates devices, where each device is associated with private and public param- 
eters (prv, pub). The private parameters are hardwired into the device and are 
never revealed (they can be destroyed), while the public ones are published to- 
gether with the “identity” of the device (e.g., on the manufacturer’s web page 
www.obfuscationdevices.com). Any user, who wishes to send an obfuscation of 
a circuit C to another user who holds such a device, retrieves the corresponding 
public parameters and sends the required obfuscation. 

Concretely, a general-purpose obfuscation scheme consists of two randomized 
algorithms (Gen, O) and a device HW. First, Gen (1") generates private and pub- 
lic parameters (prv, pub) (independently of any circuit). Then, HW is initialized 
with prv and the initialized device HW prv is given to the user. The corresponding 
pub are published. Anyone in hold of pub can obfuscate a circuit C by computing 
obf <— O (C, pub) and sending obf to the user holding the device. 

Definition 3.1 (General-purpose hardware-assisted obfuscation 
(GPHO)). ( O , Gen, HW, Eval) is a GPHO scheme for C = {C n } if it satisfies: 

— Functional Correctness. Eval is a polynomial-time oracle aided TM, such 
that for any n G N, C £ C n and input v for C: Eval HWp,v (l^I, obf, v) = C (w), 
where (prv, pub) ■*— Gen (1") and obf <— O ( C , pub). 

— Circuit-Independent Efficiency. The size of HW prv is polynomial in n, 
independent of \C\, where (prv, pub) <— Gen(l"). Moreover, during each run 
of Eval HWprv (ll c l, obf, v) on any input v, the total amount of work performed 
by HW prv is polynomial in n, independent of \C\. 

— Polynomial Slowdown. O and Gen are PPT algorithms. In particular, 
there is a polynomial q such that for any n £ N, C £ C n , | pub, prv| < q(n) 
and |obf| < q (IC'D- 

— Virtual Black Box (VBB). For any PPT adversary A and polynomial t 
there is a PPT simulators such that: 

{m hw - fy,obf l5 . . . ,obf*)} {s Ci -- c * (z, r\ |Ci|, . . . |Ct|)} , 
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where G% . . .Ct e C n , z e {0, 1}p°W«) is an arbitrary auxiliary input 
(prv, pub) <— Gen (1") and obf* <— O ( C* , pub). 


3.2 The Transformation 

Essentially, we wish to avoid restricting the device to a specific circuit C (like 
hard- wiring h(C) into the device as done in our circuit-specific scheme). Instead, 
we would like to have the user “initialize” his device with the required parameters 
params for each obfuscation he wishes to evaluate. However, params cannot be 
explicitly given to the evaluator as they contain sensitive information. 

For this purpose, we simply use a CCA2 public key encryption scheme. That 
is, the obfuscator will generate params, but instead of hard-wiring them into the 
hardware device (which will make the device circuit-specific), he will encrypt 
params and send the resulting ciphertext to the user. The fact that the underlying 
encryption scheme is CCA2 secure implies that the user can neither gain any 
information about params nor change it to related parameters params'. 

More formally, the new general-purpose device HW' is manufactured together 
with a pair of CCA2 keys (prv, pub) = (sk, pk). The secret key sk is hardwired 
into the device (and destroyed), while pk is published. Each device call is ap- 
pended with the CCA2 encryption of params. The device HW' answers its calls by 
first decrypting the encrypted parameters params and then applying the device 
HW params of the underlying circuit-specific scheme (e.g. the scheme in Section Ej). 
In the full version |Uj we present the detailed construction and show: 

Theorem 3.1. Given a CGA2 encryption scheme, any circuit- specific obfusca- 
tion scheme as in Definition 12. 1\ can be transformed to a general-purpose one as 
in Definition 13. 71 

Corollary 3.1 (of Theorems 12.1113.11) . Assume that there exists a fully ho- 
momorphic encryption scheme and a CCA2 encryption scheme, then there exists 
a general-purpose obfuscation scheme. 

Remark 3.1. The above transformation would also work (as is) for schemes with 
no circuit-independent efficiency. The amount of work performed by the general- 
purpose device is essentially inherited from the underlying scheme (with the fixed 
overhead of CCA2 decryption). In particular, we can apply it to the scheme of 
m and get a general-purpose solution that is based solely on the existence of 
CCA2 schemes, but which makes poly(|C|) device calls. 

4 Obfuscation with Leaky Hardware 

We now turn to the task of dealing with leaky hardware. As we explained in the 
introduction, if we allow arbitrary leakage functions (even with small output) 
then it is impossible to obfuscate using a single leaky hardware device. Hence, our 
goal is to show how to use many leaky hardware devices to achieve obfuscation. 
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We first show how to obfuscate any function / using leaky hardware devices, 
where the number of devices is proportional to the size of the circuit computing /. 
Then, when we apply this obfuscator to the function computed by the hard- 
ware device from Section |2| (or Section E| respectively), to get circuit-specific (or 
general-purpose, respectively) obfuscation with leaky hardware devices, where 
the number of devices is polynomial in the security parameter, independent of 
the function being obfuscated. 

4.1 An Overview 

In what follows, we give an informal definition of obfuscation with leaky hardware 
and a high-level overview of our construction. The formal definitions and detailed 
construction are given in Secti on s 14 . 21 an d fTTfl The security analysis can be found 
in the full version of this paper j^j. 

The leaky distributed system (LDS) model. In the LDS model a functionality 
/ (with secrets) is implemented by a system of multiple hardware components 
(HWi, HW2, . . . , HW m ). The components can maintain a state and generate fresh 
randomness. To evaluate the functionality /, an input v is given to HWi and the 
components communicate to jointly compute f(v), which is eventually outputted 
by HW m . The adversary (evaluator) in our model can freely choose the inputs 
to the computation and is given full control over the communication between 
the components. In addition, the adversary can choose one component at a time 
and evaluate a leakage function on its inner state and randomness. 

We consider a continual leakage model, where the lifetime of each component 
HW, is partitioned into time periods (that are set according to the inputs that 
HWj receives). At the end of each time period, HWj “refreshes” its inner state 
by applying an Update procedure (that erases the previous state). The Update 
procedures performed at different components are coordinated by exchange of 
messages. As the rest of the computation, the Update procedure is also exposed to 
leakage and the adversary controls the exchange of messages during the update. 

We place no restriction on the order and timing of the adversary’s interaction 
with the system. In particular, it can pass messages to any component at any 
time and get leakage on any component at any time (which can depend on 
previous leakage and messages). 

Constructing secure leaky distributed systems (LDS). Our goal is to compile (or 
“obfuscate”) any functionality, given by some circuit C (with hardwired secrets), 
into an LDS that perfectly protects C, as long as the leakage from each HWj 
in each time period is bounded. In the terminology of obfuscation, the LDS 
should perform as a virtual black-bos?. The view of any adversary A attacking 
the LDS can be simulated by a simulator S which can only access Casa black- 
box. In particular, S should simulate on its own the communication between the 
components and all the leakage. We achieve this goal in two main steps: 

1 . We apply the Goldwasser-Rothblum compiler to the circuit C to get a circuit 
that is secure in the (augmented) only computation leaks (OCL + ) model. 
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2. Then, we provide a general transformation that takes any OCL + -secure cir- 
cuit and transforms it to a secure LDS. 

Hence, our main goal is to show that an adversary in the LDS model can be 
simulated by an adversary in the OCL + model (that does not witness the com- 
munication between the modules). Then, by the OCL + -security (implied by the 
GR compiler), we can deduce that simulation can be done only with black-box 
access to the underlying functionality. 

In the heart of our transformation stands an implementation of leakage toler- 
ant communication channels. We first explain the main ideas required to achieve 
secrecy and then explain how to get authenticity. 

Leaky secret channels from non- committing encryption. In the OCL + model, the 
components can securely exchange messages. Still, the adversary might get some 
leakage on the contents of these messages as the (leaky) state of the components 
includes the messages at some point. The OCL + security guarantee implies, 
however, that a bounded amount of leakage does not compromise the security 
of the entire system. 

To enhance OCL + -security to LDS-security we implement the secure commu- 
nication channels. As explained above, we assume for now that the adversary 
delivers all messages intact and deal only with secrecy. The standard solution 
for secret channels would be to encrypt all communication between the com- 
ponents; however, in the face of leakage this approach encounters the following 
difficulty: Consider a sender component HWg in the LDS model that wishes to 
communicate a message M to a receiver component HWr (using some encryp- 
tion scheme). Note that the adversary can obtain arbitrary (bounded) leakage 
on the state of both HWg, HW^, including leakage on both the plaintext M and 
the randomness rs,rn used to encrypt /decrypt. Moreover, the leakage function 
can depend on the corresponding ciphers which were already sent. This implies 
that naively simulating the communication (by say encryptions of 0) won’t work. 

Our main technical observation is that the above obstacle can be overcome 
using non-committing encryption (NCE) (121 . NCE schemes (which can poten- 
tially be interactive) allow simulating a fake cipher (or transcript) c together 
with two optional random strings (rjg, rg), (r^, r^) for both the sender S and 
the receiver R. The simulated cipher can later be “opened” as an encryption of 
either 1 or 0 (using the suitable randomness) 0 This tool allows us to show that 
the view of an attacker A in the LDS model can be simulated by an attacker A! 
in the OCL + model, provided that the components communicate using NCE. 

Specifically, for any single bit message, the OCL + adversary A! (which does 
not see any communication) will use the NCE to generate fake communication 

5 NCE was so far mainly used in the setting of multi-party-computation as a tool 
for dealing with adaptive corruptions. Indeed, leakage can be viewed as a restricted 
form of “honest but curious” corruption, where the adversary learns part of the 
state, whereas in full corruption, it learns the entire state. In both cases, the choice 
of leakage/corruption is done adaptively according to the view of the adversary so 
far. The relation between leakage-tolerant protocols and adaptively secure protocols 
is further generalized in [TT)| . 
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with corresponding randomness r = (r%, r$), (r° R , r R ). Then, when the simulated 
A performs a leakage query L to be evaluated on both the plaintext b and the 
encryption’s randomness, A! can translate it to a new leakage query L' which 
will only be evaluated on the plaintext message. The leakage function L' 
will have the simulated randomness f hardwired into it and will choose which 
randomness to use according to the plaintext b. 

Leakage resilient MACs. To deal with adversaries that interfere with message 
delivery we use leakage-resilient c-time MAC schemes. Informally, each two com- 
ponents maintain rolling MAC keys that are used at most c = 0(1) times. After 
c — 1 times the components run the Update protocol to regain fresh MAC keys. 
The communication during the update is done using NCE as described above, 
while authentication is done using the c-th application of the previous key. 

4.2 The LDS Model 

Our leakage model postulates an adversary A that interacts with a system of 
distributed leaky hardware components. Each component maintains a state and 
is capable of producing fresh randomness. At the onset of the interaction, the 
components are pre-loaded with some secret state and thereafter they can receive 
messages, send messages and leak information to the attacker. In our model all 
the I/O of the components and their communication is done via the attacker A. 

Definition 4.1 (Single-input leakage). In a distributed single-input \-leakage 
attack a PPT adversary A interacts with hardware components (HWi, . . . , HW m ) 
and can do the following (in any order, possibly in an interleaving manner): 

1. Feed 0(C) a single input of his choice. 

2. Interact with each component, sending it messages and receiving the resulting 
outputs and replies. These devices are message-driven, so they are activated 
by receiving messages from the attacker, then they compute and send the 
result, then wait for more messages. 

3. Adaptively send up to X 1-bit leakage queries to each of the hardware com- 
ponents. Each leakage query is modeled as a poly-size Boolean circuit and 
is applied to the entire state of a single hardware device. Without loss of 
generality, we can think of the state of the device as it was in the last time 
that the device was activated, including all the randomness that the device 
generated in order to deal with the last activation. 

We denote the output of A in such attack by Al[A : HWi, . . . , HW m ], 

Definition 4.2 (Continual leakage). A continual X-leakage attack is an at- 
tack where a PPT adversary A repeats a single-input X-leakage attack poly many 
times, where between any two consecutive attacks the devices ’ secret state is up- 
dated by applying a PPT algorithm Update to the state of each HW, separately. A 
obtains leakage during the Update procedure, where the leakage function takes as 
input both the current secret state of HW; and the randomness used by Update. 
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We denote by time period t at device HW, the time period between the begin- 
ning of the ( t — 1 )st Update procedure and the end of the t-th Update procedure 
(note that these time periods are overlapping) 0 We allow the adversary A to 
leak at most X bits from each HWj during each (local) time period. 

We denote the output of A in such attack by „4[A : HWi, . . . , HW m : Update]. 

Below we consider an obfuscator O that takes as input a circuit C and outputs an 
“obfuscated” version of C that uses leaky hardware devices as above. Namely, 
we have (HWi, . . . , HW m ) *— 0(C), where the HW,’s are the leaky hardware 
devices, initialized with the appropriate circuits. 

Remark f.l. In Definitions 12.11 and 13.11 the obfuscator O outputs a “software 
part” obf and parameters params for initializing the hardware. In the current 
setting, the obfuscation does not contain a software part. The simplified nota- 
tion (HWi, . . . , HW m ) <— O(C), should be interpreted as sampling {params,} <— 
0(C) (where params i corresponds to the i-tli sub-computation) and initializing 
the hardware devices {HWj} accordingly. 

Definition 4.3. We say that O is an LDS-obfuscator with continual X-leaky 
hardware if for any circuit C and (HWi, . . . , HW m ) *— 0(C), the distributed 
system (HWi, . . . , HW m ) maintains the functionality of C when all the messages 
between them are delivered intact and in addition we have the following: 

For any PPT attacker A, executing a continual X-bit leakage attack, there 
exists a PPT simulators, such that for any ensemble of poly- size circuits {C n }: 

M(*)[A : HWi, . . . , HW ro : Update]} „ 6 N,c e c n {s c (z, l' a| )} „ eN , CeC „ , 

*€{ 0 , 1 }P.°WM ze{o,i} poly(n) 

where (HWi, . . . , HW m ) <— 0(C) and z is an arbitrary auxiliary input. 


4.3 The Construction 

We build our solution using a compiler C that is secure in the continual A- 
OCL + model. Namely, C converts any circuit C into a collection of leaky sub- 
components ( subi , . . . , sub m ) (that also have an update procedure, Update 6 7 ) that 
is secure long as the adversary can only get A leakage from each component in 
each time unit and cannot see or influence the communication between them. In 
our model, however, the communication is under the control of the adversary. 
To secure the communication, we use non-committing encryption and c-time 
leakage resilient MACs (as described in the overview). 

The construction. Given a circuit C, the obfuscator O does the following: 

6 Intuitively, time period t is the entire period where the t-th updated secret states 
can be leaked. During the t-th Update procedure, both the (t— l)st secret state and 

the t-th secret state may leak, which is why the time periods are overlapping. 
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1. Apply the A-OCL + compiler C to C and obtain a circuit C" = (sub i, . . . , sub m ) 
and an Update 7 procedure, such that (C' , Update 7 ) is secure in the continual 
A-OCL + model. 

We assume for simplicity that: (a) sub i is the input module, that takes as 
input the “original” input x £ {0,1}" and passes it to the relevant subj’s. 
(b) sub m generates the final output, (c) The exchanged messages between 
the modules are all of the same size £ = £(n). 

2. Put each module subi in a separate hardware component HW,. 

3. For every two communicating modules i,j £ [m ] , generate a random key 
Ki j <— {0, 1}* for a A-leakage-resilient MAC scheme (MAC, Vrfy), with keys 
of length t = 0(A). For every i £ [to], hard- wire in HW,; the set of keys 
{(}, A'ij)}, for every j such that subj and subi communicate. 

4. For every i £ {1, . . . , to — 1} and every j £ {2, . . . , to}, whenever subi is 
supposed to send a message M = (Mi, . . . , Mp) to subj, the corresponding 
hardware HWj sends M to HW, using a non-committing encryption scheme 
(NCGen, NCEnc, NCDec). Moreover, all the communication in this process 
is authenticated using the MAC scheme (MAC, Vrfy). More specifically, the 
hardware devices HW, and HW ? communicate as follows: 

(a) Hardware HWj does the following: 

i. For each k £ [(\, sample a random rc,k € {0, l} poly (") and compute 
(efc,dfc) = NCGen(l"; re fc). Henceforth, let e ■= (ei, . . . , e^),d = 
(di,...,d e ). 

ii. Compute a e = MAC(e; Kij). 

iii. Send (e, cr e ) to HW 4 and keep d as part of the secret state. 

(b) Hardware HW, does the following: 

i. Verify that Vrfy(e, <r e : = 1 and verify that (e, cr e ) was not al- 

ready sent by HWj during this time period. If this check fails then 
discard the message e. 

ii. If the check passes, for each k £ [£} choose a random rE^ejO, l} poly ( n ), 
compute c*; = NCEnc(Mfc, e^; rgjA. Henceforth, let c = (ci, . . . , ce ). 

iii. Compute cr c = MAC(c: Kij). 

iv. Send (c ,a c ) to HWj. 

(c) Hardware HWj does the following: 

i. Verify that Vrfy(c, cr c ; Ki,j) = 1 and verify that (c, <r c ) wasn’t already 
sent by H W, ; . If this check fails then discard the message c. 

ii. If the check passes, compute for each k £ [d\, Mi = NCDec(c,, d,). 
Once HWj gets M, it runs subj on input M (unless subj is waiting for 
additional inputs). 

5. Finally, HW m sends an output message (assuming sub rn is the sub- 
computation that generates the outputs). 

6. For each HW,, after each “valid” activation (i.e., after it did its share in a 
computation), HW, erases all its computations and updates its secret state, 
using an update procedure Update, defined as follows. 

(a) Apply the Update 7 procedure to update the state of subi. 

(b) Refresh the MAC keys by choosing new random MAC keys K[ - for every 
j > i such that HWj and HWj communicate. Then send K^ - to HWj. 
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(c) Erase the previous MAC keys Kij. 

(d) Communication: All the communication within the update procedure 
is done as in step 4. Namely, for each message, repeat steps 4(a) — 4(c), 
where the MACs are w.r.t. the previous MAC key K^j. 

Theorem 4.1. Assuming the compiler C used in the above construction is secure 
in the A-OCL + model. Then the above construction yields an LDS-obfuscator with 
continual X-leaky hardware HWi, . . . , HW m . 

The proof of Theorem 14.11 is given in the full version of this paper 0 . 
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Abstract. The assumption of the availability of tamper-proof hardware tokens 
has been used extensively in the design of cryptographic primitives. For exam- 
ple, Katz (Eurocrypt 2007) suggests them as an alternative to other setup as- 
sumptions, towards achieving general UC-secure multi-party computation. On 
the other hand, a lot of recent research has focused on protecting security of 
various cryptographic primitives against physical attacks such as leakage and 
tampering. 

In this paper we put forward the notion of Built-in Tamper Resilience (BiTR) 
for cryptographic protocols, capturing the idea that the protocol that is encap- 
sulated in a hardware token is designed in such a way so that tampering gives 
no advantage to an adversary. Our definition is within the UC model, and can 
be viewed as unifying and extending several prior related works. We provide 
a composition theorem for BiTR security of protocols, impossibility results, as 
well as several BiTR constructions for specific cryptographic protocols or tam- 
pering function classes. In particular, we achieve general UC-secure computation 
based on a hardware token that may be susceptible to affine tampering attacks. We 
also prove that two existing identification and signature schemes (by Schnorr and 
Okamoto, respecitively) are already BiTR against affine attacks (without requir- 
ing any modification or endcoding). We next observe that non-malleable codes 
can be used as state encodings to achieve the BiTR property, and show new posi- 
tive results for deterministic non-malleable encodings for various classes of tam- 
pering functions. 

1 Introduction 

Security Against Physical Attacks. Traditionally, cryptographic schemes have been 
analyzed assuming that an adversary has only black-box access to the underlying func- 
tionality, and no way to manipulate the internal state. For example, traditional security 
definitions for encryption schemes address an adversary who is given the public key — 
but not the private key — and tries to guess something about the plaintext of a chal- 
lenge ciphertext, by applying some black-box attack (e.g., CPA or CCA). In practical 
situations, however, an adversary can often do more. For example, when using small 
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portable devices such as smart-cards or mobile-phones, an adversary can take hold of 
the device and apply a battery of attacks. One class of attacks are those that try to 
recover information via side channels such as power consumption EUl. electromag- 
netic radiation EH- and timing nn. To address these attacks, starting with the work 
of 1271331 there has been a surge of recent research activity on leakage-resilient cryp- 
tographic schemes. For example, refer to 114 1 13 711 1221 1 ( 1 1 911 21913 1 II and the references 
therein. The present work addresses tampering attacks, where an adversary can modify 
the secret data by applying various physical attacks (c.f., 121817141 1411 1. Currently, there 
are only a few results in this area H23I26I2H . 

Hardware Tokens. As discussed above, cryptographic primitives have traditionally 
been assumed to be tamper (and leakage) proof. In the context of larger cryptographic 
protocols, there have been many works that (implicitly or explicitly) used secure hard- 
ware as a tool to achieve security goals that could not be achieved otherwise. The work 
most relevant to ours is that of Katz EH- who suggests to use tamper-proof hardware 
tokens to achieve UC-secure lfT2i commitments. This allows achieving general feasi- 
bility results for UC-secure well-formed multi-party computation, where the parties, 
without any other setup assumptions, send each other tamper-proof hardware tokens 
implementing specific two-party protocols. There were several follow-up works such 
as 113411611 812 513 0124001 . all of which assume a token that is tamper proof. 

Given the wide applicability of tamper-proof tokens on one hand, and the reality of 
tampering attacks on the other, we ask the following natural question: 

Can we relax the tamper-proof assumption, and get security using tamperable 

hardware tokens? 

Clearly, for the most general interpretation of this question, the answer is typically 
negative. For example, if the result of EH was achievable with arbitrarily-tamperable 
hardware token, that would give general UC-secure protocols in the “plain” model, 
which is known to be impossible El- In this work we address the above question in 
settings where the class of possible tampering functions and the class of protocols we 
wish to put in a token and protect are restricted. 


1.1 Our Contributions 

BiTR Definition. We provide a definition of Built-in Tamper Resilience (BiTR) for two 
party cryptographic protocols, capturing the idea that the protocol can be encapsulated 
in a hardware token, whose state may be tamperable. Our definition is very general, 
compatible with the UC setting ITT2I . and implies that any BiTR protocol can be used as 
a hardware token within larger UC-protocols. Our definition may be viewed as unifying 
and generalizing previous definitions 1231261211 and bringing them to the UC setting. 

BiTR is a property of a cryptographic protocol M, which roughly says the follow- 
ing. Any adversary that is able to apply tampering functions from the class T on a 
token running M, can be simulated by an adversary that has no tampering capability, 
independently of the environment in which the tokens may be deployed. 

The strongest result one would ideally want is a general compiler that takes an arbi- 
trary protocol and transforms it to an equivalent protocol that is BiTR against arbitrary 
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tampering functions, without having to encode the state into a larger one, and without 
requiring any additional randomnessQ Since such a strong result is clearly impossible, 
we provide several specific results that trade off these parameters (see below), as well 
as the following composition theorem. 

BiTR Composition. As BiTR is a protocol centric property, the natural question that 
arises is whether it is preserved under composition. A useful result for a general theory 
of BiTR cryptography would be a general composition theorem which allows combin- 
ing a BiTR protocol calling a subroutine and a BiTR implementation of that subrou- 
tine into one overall BiTR protocol. To this end, we characterize BiTR composition 
of protocols by introducing the notion of modular-BiTR which captures the property 
of being BiTR in the context of a larger protocol. We then prove that the property of 
modular-BiTR is necessary and sufficient for construction of composite BiTR proto- 
cols. At the same time we also derive a negative result, namely that modular-BiTR 
protocols that preserve the BiTR property in any possible context (something we term 
universal-BiTR) are unattainable assuming the existence of one-way functions, at least 
for non-trivial protocols. These results thus settle the question of BiTR composability. 

BiTR Constructions without State Encoding. We describe results for BiTR prim- 
itives that require no state encodings. It may come as a surprise that it is possible 
to prove a cryptographic protocol BiTR without any encoding and thus without any 
validation of the secret protocol state whatsoever. This stems from the power of our 
definitional framework for BiTR and the fact that it is can be achieved for specially 
selected and designed protocols and classes of tampering functions. We define the class 
T a ff = {fa.b I a € Z*, b e Z q , fa,b(v ) : = av + b mod q}. That is, the adversary may 
apply a modular affine function of his choice to tamper the state. Affine tampering is 
an interesting class to consider as it has as special cases multiplication (e.g., shifting — 
which may be the result of tampering shift-register based memory storage), or addition 
(which may be result of bit flipping tampering). 

We prove three protocols BiTR with respect to this class, where the tamper resilience 
is really “built-in” in the sense that no modification of the protocol or encoding of the 
state are necessary. The first one is Schnorr’s identification (two-round) protocol 115311 . 
The second is Okamoto’s signature scheme m . Both protocols are interesting on their 
own (e.g., previous work 1251 focused mostly on signature schemes), but the latter is 
also useful for the third protocol we prove affine-BiTR, described next. 

UC-Secure Computation from tamperable tokens. Katz’s approach 11281 for building 
UC-secure computation using hardware tokens allows a natural generalization that in- 
volves a commitment scheme with a special property, we call a dual-mode parameter 
generation (DPG) — depending on the mode of the parameter, the commitment scheme 
is either statistically hiding or a trapdoor commitment. We then observe that any DPG- 
commitment is sufficient for providing UC-secure multi-party computation assuming 
tamper proof tokens. Following this track, we present a new DPG-commitment scheme 


If an encoding ip of the state is required, it is desirable that it is deterministic (randomness 
may not be available in some systems or expensive to generate), and that it has as high rate as 
possible. Ideally, an existing scheme can be proven BiTR as-is, without any state encoding at 
all. 
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that is BiTR against affine tampering functions, that relies on discrete-log based prim- 
itives including the digital signature scheme of Okamoto ESI . Thus, we obtain UC- 
secure general computation using hardware tokens tamperable with affine functions. 

BiTR Constructions with State Encoding. We next discuss how one can take advan- 
tage of state consistency checks to design BiTR protocols. We observe first that non- 
malleable codes, introduced by Dziembowski, Pietrzak and Wichs fTRl can be used as 
an encoding for proving the BiTR property of protocols. This gives rise to the prob- 
lem of constructing such codes. Existing constructions mi utilize randomness in cal- 
culating the encoding; we provide new constructions for such encodings focusing on 
purely deterministic constructions. In fact, when the protocol uses no randomness (e.g., 
a deterministic signing algorithm) or a finite amount of randomness (e.g., a prover in 
the resettable zero-knowledge 11141 setting), by using deterministic encodings the token 
may dispense with the need of random number generation. 

Our design approach takes advantage of a generalization of non-malleable encodings 
(called (5-non-malleable), and we show how they can be constructible for any given set 
of tampering functions (as long as they exist). Although inefficient for general tamper- 
ing functions, the construction becomes useful if each function in the class T works 
independently on small blocks (of logarithmic size). In this case, we show that a non- 
malleable code for the overall state can be constructed efficiently by first applying Reed- 
Solomon code to the overall state and then applying d-non-malleable codes for small 
blocks to the resulting codeword. We stress that this construction is intended as a feasi- 
bility result. 


1.2 Related Work 

We briefly describe the most relevant previous works addressing protection against tam- 
pering. We note that none of these works had addressed tampering in the context of 
UC-secure protocols. 

Gennaro et al. El considered a device with two separate components: one is tamper- 
proof yet readable (circuitry), and the other is tamperable yet read-proof (memory). 
They defined algorithmic tamper-proof (ATP) security and explored its possibility for 
signature and decryption devices. Their definition of ATP security was given only for 
the specific tasks of signature and encryption. In contrast, our definition is simulation 
based, independent of the correctness or security objectives of the protocol, and we con- 
sider general two-party protocols (and the implications in the UC framework EESI). 

Ishai et al. El considered an adversary who can tamper with the wires of a circuit. 
They showed a general compiler that outputs a self-destructing circuit that withstands 
such a tampering adversary. Considering that memory corresponds to a subset of the 
wires associated with the state in their model, the model seems stronger than ours (as 
we consider only the state, not the computation circuit). However, the tampering attack 
they considered is very limited: it modifies a bounded subset of the wires between each 
invocation, which corresponds to tampering memory only partially. 

Dziembowski et al. ETI introduced the notion of non-malleable codes and tamper 
simulatability to address similar concerns as the present work. A distinguishing feature 
of BiTR security from their approach is that BiTR is protocol-centric. As such, it allows 
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arguing about tamper resilience by taking advantage of specific protocol design features 
that enable BiTR even without any encodings. Moreover, the positive results of m 
require the introduction of additional circuitry or a randomness device; this may be 
infeasible, uneconomical or even unsafe in practice — it could be introducing new 
pathways for attacks. In contrast, our positive results do not require state encodings or 
when they do, they do not rely on randomness. 

Bellare and Kohno defined security against related key attacks (RKA) for block ci- 
phers 0, and there has been follow-up work II5I3I (see also the references therein). 
Roughly speaking, RKA-security as it applies to PRFs and encryption is a strengthen- 
ing of the security definition of the underlying primitive (be it indistinguishability from 
random functions or semantic security). RKA-security was only shown against tam- 
pering that included addition or multiplication (but not both simultaneously). In fact, 
RKA-security for PRFs as defined in Q is different from BiTR when applied to PRFs. 
A BiTR PRF is not necessarily RKA-secure since the BiTR simulator is allowed to 
take some liberties that would violate key independence under tampering as required 
by RKA-security. We do not pursue these relationships further here formally as it is 
our intention to capture BiTR in a weakest possible sense and investigate how it cap- 
tures naturally in a simulation-based fashion the concept of tamper resilience for any 
cryptographic primitive. 

2 BiTR Definitions 

BiTR Protocols. Katz 112 81 modeled usage of a tamper-proof hardware token as an ideal 
functionality T wrav in the UC framework. Here, we slightly modify the functionality 
so that it is parameterized by an interactive Turing machine (ITM) M for a two-party 
protocols (see Fig. QJ. The modification does not change the essence of the wrapper 
functionality; it merely binds honest parties to the use of a specific embedded program. 
Corrupted parties may embed an arbitrary program in the token by invoking Forge. We 
also define a new functionality IFtwrap similar to T wrav but with tampering allowed. Let 
T be a collection of (randomized) functions. Let ip = ( E , D) be an encoding schem^. 
The essential difference between Ttwrap and T wra p is the ability of the adversary to 
tamper with the internal state of the hardware token — a function drawn from T is 
applied on the internal state of the hardware token. This (weaker) ideal functionality 
notion is fundamental for the definition of BiTR that comes next. 

We define a security notion for a protocol M, called Built-in Tamper Resilience 
(BiTR), which essentially requires that At UJrap (M) is interchangeable with T wrop {M). 
We adopt the notations in the UC framework given by Canetti ITU . 

Definition 1 (BiTR protocol). The protocol M is (T, ip) -BiTR if for any PPT A, there 
exists a PPT S such that for any non-uniform PPT Z, 

IDEAL F twrap (M,T,i!>),A,Z ~ IDEAL F wrap (M),S,Z > 

where « denotes computational indistinguishability. 

2 We will interchangeably use protocols and ITMs, if there is no confusion. 

3 We will sometimes omit ip from Ttwrap when it is obvious from the context. 
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T wr a P {M) is parameterized by a polynomial p and a security parameter k. 

Create: Upon receiving (Create, sid,P,P',msg) from party P: Let msg' = (Initialize, 
msg). Run M(msg') for at most p(k) steps. Let out be the response of M 
(set out to ± if M does not respond). Let s' be the updated state of M. Send 
(Initialized, sid, P' , out) to P, and (Create, sid, P, P', T s ) to P' and the adversary. 
If there is no record (P, P', *, *), then store (P, P', M, s'). 

Forge: Upon receiving (Forge, sid, P, P', M' , s) from the adversary, if P is not corrupted, 
do nothing. Otherwise, send (Create, sid, P, P', lJ s '} to P'. If there is no record 
(P, P' , * , *) , then store (P, P' , M' , s) . 

Run: Upon receiving (Run, sid, P, msg) from party P', find a record (P, P' ,K,s). If 
there is no such record, do nothing. Otherwise, do: 

1. Run K(msg\ s) for at most p(k) steps. Let out be the response of K (set out to _L 
if K does not respond). Let s' be the updated state of K. Send (sid, P, out) to P'. 

2. Update the record with (P, P', K, s'). 


Ptwrap(M, T, ip) is also parameterized by p and k (and ip = ( E , D) is an encoding scheme). 

Create: As in T wr ap (M) with the only change that state s' is stored as P(s') in memory. 

Forge: As in PF wr ap(M). 

Run: Upon receiving (Run, sid, P, msg) from party P', find a record (P,P',K,s). If 
there is no such record, do nothing. Otherwise, do: 

1. (Tampering) If P' is corrupted and a record (sid, P, P', r) exists, set s = r(s) 
and erase the record. 

2. (Decoding) If P is corrupted, set s = s; otherwise, set s = D(s). If s = ±, send 
(sid, P, _L) to P' and stop. 

3. Run K(msg; s) for at most p(k) steps. Let out be the response of K (set out to _L 
if K does not respond). Let s' be the updated state of K. Send (sid, P, out ) to P'. 

4. (Encoding) If P is corrupted, set s = s'; otherwise set s = E(s'). Update the 
record with (P, P', K, s). 

Tamper: Upon receiving (Tamper, sid, P, P' , t) from the adversary A, if P' is not cor- 
rupted or r ^ T, do nothing. Otherwise make a record (sid, P, P' , r) (erasing any 
previous record of the same form). 


Fig. 1. Ideal functionalities T,„ t „. v (M) and Ptwrap(M, T, ip) 


In case ip = (id, id) (i.e., identify functions), we simply write T -BiTR. Note that this 
definition is given through the ideal model, which implies (by the standard UC theorem) 
that whenever a tamper-proof token wrapping M can be used, it can be replaced by a 
T -tamperable token wrapping M @ As a trivial example, every protocol is {id}-BiTR. 

We note that the above definition is intended to capture in the weakest possible sense 
the fact that a protocol is tamper resilient within an arbitrary environment. A feature of 
the definition is that there is no restriction in the way the simulator accesses the under- 
lying primitive (as long as no tampering is allowed). This enables, e.g., a signature to be 
called BiTR even if simulating tampered signatures requires untampered signatures on 
different chosen messages, or even on a larger number of chosen messages. We believe 


One could also consider a definition that requires this in the context of a specific UC-protocol. 
We believe our stronger definition, which holds for any UC-protocol using a token with M, is 
the right definition for built-in tamper resilience. 
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that this is the correct requirement for the definition to capture that “if the underlying 
primitive is secure without tampering, it is secure also with tampering” (in the signa- 
ture example, security is unforgeability against any polynomial time chosen message 
attack). Nonetheless, it can be arguably even better to achieve BiTR security through 
a “tighter” simulation, where the BiTR simulator is somehow restricted to behave in a 
manner that is closer to the way A operates (except for tampering of course) or possi- 
bly even more restricted. For instance, one may restrict the number of times the token 
is accessed by the simulator to be upper bounded by the number of times A accesses 
the token. In fact all our positive results do satisfy this desired additional tighter simula- 
tion property. Taking this logic even further, one may even require that once tampering 
occurs the BiTR simulator can complete the simulation without accessing the token at 
all — effectively suggesting that tampering trivializes the token and makes it entirely 
simulatable. We believe that the ability of BiTR to be readily extended to capture such 
more powerful scenarios highlights the robustness of our notion and, even though these 
scenarios are not further pursued here, the present work provides the right basis for such 
upcoming investigations. 

2.1 Composition of BiTR ITMs 

It is natural to ask if a modular design approach applies to BiTR protocols. To investi- 
gate this question we need first to consider how to define the BiTR property in a setting 
where protocols are allowed to call subroutines. 

Consider an ITM M2 and another ITM Mi that calls M2 as a subroutine. We denote 
by (Mi; M2) the compound ITM. The internal state of (Mi; M2) is represented by the 
concatenation of the two states si | |s2 where si and S2 are the states of M\ and M2 at 
a certain moment of the runtime respectively. Let FtwrapiM 1; M2, 7 ) x 72 , V’l x ipf) 
denote an ideal functionality that permits tampering with functions from 7 ) for the state 
of Mi and from T2 for the state of M2 while the states are encoded with ipi and ip 2 
respectively. We can also consider a sequence of ITMs that call each other successively 
M = (Mi; . . . ; M n ). We next generalize the BiTR notion for an ITM M, employed in 
the context of M in a straightforward manner. 

Definition 2 (modular BiTR protocol). Given M = (Mi; . . . ; M n ), T = 7 } x . . . x 

T n , and ip = ipi x ... x ip n ,forsomei € [n], we say that Mi is modular-( / T i/ , ipf-BiTR 
with respect to M ,T and ip if for any PPT A there exists a PPT S such that for any 
non-uniform PPT Z, 

IDEAL^^^ ,A,Z ~ IDEAL ^ tu , rap (M,77iT,Vi),5,2> 

where Ti = {id} x . . . x {id} x % x . . . x T n . 

Roughly speaking, this definition requires that whatever the adversary can do by tam- 
pering Mi with % (on the left-hand side) should be also done without (on the right-hand 
side) in the context of M, T, ip. For simplicity, if M, T, ip are clear from the context, 
we will omit a reference to it and call an ITM M* simply modular- ( 7 ), ' 0 ,)-BiTR. 

The composition theorem below confirms that each ITM being modular BiTR is a 
necessary and sufficient condition for the overall compound ITM being BiTR. 
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Theorem 1 (BiTR Composition Theorem). Consider protocols M \ , . . . , M n with 
M = (Mi , . . . , M n ) and T = 7] x ... x T n , and ip = if x ... x ip n . It holds 
that Mi is modular-(%, ipi)-BiTRfor i= 1 ,n, with respect to M, T, ip if and only 
if (Mi ; . . . ; M n ) is (T, ip) -BiTR. 

A natural task that arises next is to understand the modular-BiTR notion. 

Context Sensitivity of Modular-BiTR Security. The modular-BiTR definition is 
context-sensitive; an ITM may be modular BiTR in some contexts but not in others, 
in particular depending on the overall compound token M. This naturally begs a ques- 
tion whether there is a modular-BiTR ITM that is insensitive to the context. In this way, 
akin to a universally composable protocol, a universally BiTR ITM could be used mod- 
ularly together with any other ITM and still retain its BiTR property. To capture this we 
formalize universal-BiTR security below, as well as a weaker variant of it that is called 
universal-BiTR parent which applies only to ITMs used as the parent in a sequence of 
ITMs. 

Definition 3 (universal BiTR). If an ITM M is modular-(T , ip)-BiTR with respect to 
any possible M, T, ip then we call M universal-(T, ip)-BiTR. IfM is modular-(T , ip)- 
BiTR whenever M is used as the parent ITM then we call it un ive rsa T(T , ip) -BiTR 
parent. 

Not very surprisingly (and in a parallel to the case of UC protocols) this property is 
very difficult to achieve. In fact, we show that if one-way functions exist then non- 
trivial universal-BiTR ITMs do not exist. We first define non-triviality: an ITM M will 
be called non-trivial if the set of its states can be partitioned into at least two sets So, Si 
and there exists a set of inputs A that produce distinct outputs depending when the ITM 
M is called and its internal state belongs to So or Si. We call the pair of sets a state 
partition for M and the set A the distinguishing input-set. Note that if an ITM is trivial 
then for any partition of the set of states So, Si and any set of inputs A, the calling 
of the ITM M on A produces identical output. This effectively means that the ITM M 
does not utilize its internal state at all and obviously is BiTR by default. Regarding non- 
trivial ITMs we next prove that they cannot be (T, ?/>) -BiTR for any tampering function 
r that switches the state between the two sets So, Si, i.e., r(So) C Si, r(S'i) C So- 
We call such tampering function state-switching for the ITM M. If an encoding ip is 
involved, we call r state-switching for the encoding ip. We are now ready to prove our 
negative result. 

Theorem 2 . Assuming one-way functions exist, there is no non-trivial universal-(T , ip)- 
BiTR ITM M such that T contains a state-switching function for M and the encoding 

ip. 

Roughly speaking, the theorem holds since a parent ITM Mi calling M2 can make 
the message exchanges between them quite non-malleable by outputting a signature 
on these messages. In this context, no non-trivial M2 can be modular-BiTR, and thus 
M2 is not universal-BiTR. We note that the above theorem is quite final for the case 
of universal BiTR ITMs. It leaves only the possibility of proving the universal-BiTR 
property for trivial ITMs (that by default satisfy the notion) or for sets of functions that 
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are not state-switching, i.e., essentially they do not affect the output of M and therefore 
inconsequential. This state of affairs is not foreign to properties that are supposed to 
universally compose. Indeed, in the case of UC-security large classes of functionalities 
are not UC-realizable mi To counter this issue, in the UC-setting one may seek setup 
assumptions to alleviate this problem, but in our setting setup assumptions should be 
avoided. For this reason, proving the modular-BiTR property within a given context is 
preferable. 

On the other hand, the universal-BiTR parent property turns out to be feasible, and 
thus this leaves a context insensitive property to be utilized for modular design of BiTR 
protocols. We in fact take advantage of this, and jumping ahead, the parent ITM in 
the compound ITM used to achieve general UC-secure MPC in Section 0 satisfies this 
property and can be composed with any child ITM. 

3 Affine BiTR Protocols without State Encoding 

In this section, we show two protocols (for identification and signatures, respectively) 
that are BiTR against certain tampering functions, without using any modification or 
encoding. Specifically, we consider a tampering adversary that can modify the state of 
the hardware with affine Junctions. Assuming the state of the hardware is represented 
by variables of Z q for some prime q, the adversary can choose a tampering on a 
variable v, which will change v into f a ,b(y) = av + b mod q. Let T 3 ^ = {f a ^ \ a G 
Z*,be ZJ and Tjf = T aff x T aff . 

Schnorr Identification |39j. The Schnorr identification is a two-round two-party pro- 
tocol between a prover and a verifier. The common input is y = g x , where g is a 
generator of a cyclic group of size q, and the prover’s auxiliary input is a; G Z q . The 
protocol proceeds as follows: 

1. The prover picks a random t £ Z q and sends z = g l to the verifier. 

2. The verifier picks a random c G Z q and sends c to the prover, which in turn com- 
putes s = cx + t mod q and sends s to the verifier. The verifier checks if zy c = g s . 

We consider an ITM M on the prover side wrapped as a hardware token. This ITM is 
BiTR against affine functions. To see why it is BiTR, suppose that the adversary tampers 
with the state changing x into ax + b for some a and b. In the second round, the BiTR 
simulator — given c, from the adversary, that is supposed to go to fFtwrap{M\ %&) 
— has to find out an appropriate d going to T wr ap{M) such that the simulator, on 
receiving s' = dx + t from iF wro .p(M), can output c(ax + b) + t that would come 
from Tt W ra P {M : T^f). In summary, given (a, b, c, s'), but not x or f, the simulator has 
to generate a correct output by controlling d. It can do so by choosing d = ac and 
outputting s' + cb. Note that s' + cb = c(ax + b) + t. 

Signature Scheme due to Okamoto BSI . The digital signature scheme of Okamoto 
ea was employed in the context of designing blind signatures. Here we show that 
it is BiTR against affine functions. We give a brief description next. Let (Gi, G2) be 
a bilinear group as follows: (1) Gi and G2 are two cyclic groups of prime order q 
possibly with Gi = G2; (2) hi and h 2 are generators of Gi and G2 respectively; (3) 
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M a k a : The description of Gi, Ga, g2,U2,V2, and a collision-resistant hashing function H : 
{0, l} n — >Z* are embedded in the program as a public parameter. The state is x E Z q . 

Initialization 

- Upon receiving a message (Initialize), choose x Er Z q , and g-i, u 2 , V2 Er G2 and output 
(g2,W2,U2,V2). 

Message Handling 

- Upon receiving a message (Sign, m). Choose random r, s E Z* such that 2 + r / 0 

(mod q). Compute a = and output (a, r, s). 


Fig. 2. Okamoto signature M„k a 


ip is an isomorphism from G2 to Gi such that ip(h 2 ) = hi, ( 4 ) e is a non-degenerate 
bilinear map e : Gi x G2— >Gt where |Gt| = p, Vu G Gi Vv G G2 Va, b G Z : 
e(u a ,u b ) = e(u,v) ab . 

The signature scheme below is secure against a chosen message attack under the 
Strong Diffie-Hellman assumption m 

- Key Generation: Randomly select generators 321^2,^2 € G2 and compute <j-\ = 
ip(g2),ui = 'p{u'2), and v\ = tp(v 2). Choose a random x G Z* and compute 
W2 = 92 • Verification key is (51 , 52, «-’2, u 2 , i ! 2)- Signing key is x. 

- Signature of a message to G Z*: Choose random r, s G Z*. The signature is 
(<r, r, s) where a = (gT l uivf) 1 /( x+r ) and x + r 7^ 0 (mod g). 

- Verification of ( m,a,r,s ): Check that m, r, s, G Z*, <7 G Gi, cr 7^ 1 , and 

e(<J,w 2 gZ) = e{jgi,gfu 2 u|). 

The signature token is described in Fig. 0 Similarly to the ITM for Schnorr signature 
scheme, this token can be shown to be BiTR against affine functions. 

Theorem 3. ITM M 0 f. a in Fig.^is %^-BiTR. 

4 UC Secure Computation from Tamperable Tokens 

In this section we examine the problem of achieving UC-secure computation relying 
on tamperable (rather than tamper-proof) tokens. Our starting point is the result of Katz 
EHI . obtaining a UC commitment scheme (and general UC-secure computation) in the 
FwrapiM) -hybrid for an ITM M, which unfortunately, is not BiTR. However, we man- 
aged to change M so that the modified ITM M' is BiTR against affine functions, thus 
obtaining a UC commitment in the Ttwrap ( M' ) -hybrid. Along the way, we present a 
generalization of Katz’s scheme for building commitment schemes we call commit- 
ments with dual-mode parameter generation. 

4.1 Katz’s Commitment Scheme and its Generalization. 

Intuitively, the UC-secure commitment scheme given by Katz ESI uses the tamper- 
proof hardware token to give the simulator the advantage over the adversary to force the 
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commitment scheme to become extractable (in case the sender is corrupted) or equivo- 
cal (in case the receiver is corrupted). In spirit, this idea can be traced to mixed commit- 
ment schemes introduced in o, although the two results differ greatly in techniques. 

We abstract the approach of GBI to build UC commitments in Fig. 0 The UC com- 
mitment scheme is based on a primitive that we call commitment with dual-mode pa- 
rameter generation (DPG-commitment for short). 


Commitment Phase: 

1. Each of the sender and the receiver calls F wr ap(M) with a Create message. 

2. Each party executes the procedure dual-mode parameter generation with the 
•F wrap (M). Let pS be the parameter the receiver obtained, and pR be one the sender 
obtained. The parameters pR and pS are exchanged. 

3. The sender commits to a message m by sending (Ci, Ci. -n), where C\ is a commit- 
ment to m based on the parameter pS, C2 is a statistically-binding commitment to m, 
and 7r is WI proof that (1) C\ and C2 commits to the same message, or (2) pR was 
generated in the extraction mode. 

Opening Phase: 

1. The sender reveals (m, 7r'), where m is the committed message, tt' is WI proof that 
(1) C'2 commits to m, or (2) pR was generated in the extraction mode. 


Fig. 3. A UC Commitment that uses a DPG-commitment scheme 77 with protocol M in the 
F W rap (TIT) -hybrid model. 

A DPG-commitment is a commitment scheme whose parameter is generated by an 
interactive protocol M that is wrapped in a hardware token. Formally we define the 
following: 

Definition 4 (DPG-Commitment scheme). A commitment scheme II=(Com, Decom ) 
that is parameterized by p, has a dual mode parameter generation ( DPG-commitment ) 
if there are ITMs M and P that form a two party protocol ( P , M) and have the follow- 
ing properties: 

- ( Normal mode ) For any PPT P*, with overwhelming probability, the output of 
( P * , M) satisfies that if it is not _L then it contains a parameter p over which the 
commitment scheme II is unconditionally hiding. 

— (Extraction mode) For any M* with the same I/O as M, there is a PPT S that re- 
turns (p, t ) such that the commitment scheme 77 with the parameter p is a trapdoor 
commitment scheme with trapdoor t and the parameter generated by S is compu- 
tationally indistinguishable from the parameter generated by ( P , M*). 

It is worth noting that DPG-commitments are very different from the mixed commit- 
ments of U2. For one thing, contrary to mixed commitments, DPG-commitments do 
not have equivocal parameters. Moreover, mixed commitments have parameters that 
with overwhelming probability become extractable based on a trapdoor hidden in the 
common reference string. In contrast, DPG-commitments become extractable due to 
the manipulation of the parameter generation protocol M (specifically the ability of the 
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simulator to rewind it). Now using the same arguments as in ESI it is possible to show 
that the commitment scheme in figure 0 is a UC-commitment provided that the under- 
lying scheme used for C\ is a DPG-commitment. We briefly sketch the proof argument. 
When the sender is corrupted, the simulator has to extract the committed message. This 
can be done by making pS extractable. Then, given a commitment (Ci, Cz, n) from 
the adversary, the simulator can extract the message committed to from C\ using the 
trapdoor of pS. When the receiver is corrupted, the simulator can make the commitment 
equivocal by causing pR to be extractable. Using the trapdoor for pR as witness, the 
simulator can generate a WI proofs n and ir' with respect to the condition (2) and thus 
open the commitment to an arbitrary message. 

We next briefly argue that the construction suggested in GEI amounts to a DPG- 
commitment scheme. The token operates over a multiplicative cyclic group of prime 
order. In the first round, a party generates a cyclic group and sends to the token the 
group description and random elements g and h of the group; then, the token sends 
back a Pedersen commitment c = com(pi, gz) to random gi , gz 13610 In the second 
final round, the party sends a random hi, hz, and then the token opens the commitment 
c and outputs the signature on (g, h, <j \ , <72) where <j\ = g\ hi and g-z = gz h-i . With 
parameter (g, h, gi,gz), commitment Ci to a bit b is defined as (g ri K'" 2 , gf 1 gz r2 g h ) for 
randomly-chosen r \ , rz G Z (/ . It is well-known (and easy to check) that if the parameter 
is a Diffie-Hellman (DH) tuple and r = log s (j\ = log h gz is known, then b can be 
efficiently extracted from the commitment. On the other hand, if it is a random tuple, 
this commitment scheme is perfectly hiding. Extraction mode is achieved by rewinding 
the code of a malicious token M* . Specifically for a given M* , the simulator S proceeds 
by picking a random DH tuple (g, h, g\ = g l ,g 2 = h l * ) and running M* once to reach 
a successful termination and learn the values gi,g2- Subsequently, it rewinds M* right 
before the second round and selects hi = gi/gi and hz = gz/gz- This will result in 
the parameter produced by M* to be equal to the DH tuple, i.e., a parameter that is 
extractable with trapdoor t. 

4.2 UC-Secure Commitment Scheme from a Tamperable Token 

It is easy to see that the following result holds using the BiTR security properties. 

Corollary 4. IfanITMM, achieving parameters for DPG-commitment scheme, isT- 
BiTR, then there exists a UC-secure commitment scheme in the FtwrapiM, T) -hybrid 
model. 

Therefore, if the token used in lE%l is 7^ -BiTR, then we obtain a UC-secure com- 
mitment scheme in the Ttwrap{M, 7^,ff) -hybrid model. Unfortunately, the token is not 
7^ff-BiTR. We explain the issue below. Recall that in the first round the token sends 
a commitment to gi,gz- Suppose that g\ = g 7 ' 1 and gz = g r ' 2 and that the values rr 
and rz are stored as state in the token after the first round. Suppose in addition that by 
tampering with an affine function the adversary causes the state to become (arr + b, rz ) 
for some a and b. Then, in the second round, the simulator — given hi and hz from 

5 We use a slightly different notation compared to ESI to unify the presentation with our BiTR 

token that is shown later. 
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Let G be the cyclic multiplicative group of size q defined by a safe prime p = 2q + 1 and 
g be a generator of G. The description of G is embedded in the program. The state is 
(ri, r2, si, S2) 6 h\. It uses a signature ITM K as a subprotocol. 

Initialization 

- Upon receiving a message (Initialize), call K with (Initialize), sets the state to all Os and 
output whatever K outputs. 

Message Handling 

- Upon receiving a message ho'- Check ho is a generator of G. If the checking fails, output 
_L. Otherwise, pick n, Si 6 n 1 q and compute Pedersen commitments com, = g Si h^ 9 ^ 
for * = 1, 2, where g, = g 1 ' and X is defined as: X (a) = a if a > p/2, p— a otherwise. 
Output (comi, com 2 ). 

- Upon receiving a message (h, hi, ft.2, *1, £2): Check h, hi, /12 € G, xi, X 2 € Z*. If the 
checking fails, output _L. Otherwise, let g, = g ri and compute <ji = g/ r hi for is* 1,2. 
Call K with (Sign, ( P , P',p, g, h, gi,ga)) to get a signature a. Output (ffi, 52, «i, «2, <r). 
Pick n, Si 6 r 1 q for i = 1, 2. 


Fig. 4. Dual parameter generating ITM Md pg that is universal-BiTR parent 


the adversary — has to send T wrap appropriate messages h\ and so that it can ma- 
nipulate the output from T wrav as if the result is from J-'t-wrap- Here the signature on 
(g, h, gi,g2) is a critical obstacle, since the simulator cannot modify it (otherwise, it 
violates unforgeability of signature schemes). This means that for simulation to be suc- 
cessful it should hold that g\ = g ari+b hi = g ri h\ , i.e., the simulator should select 
h[ = g( a_ 1 )’“ 1 + 6 /i 1 . Unfortunately, the simulator does not know n when it is supposed 
to send h[. 

By slightly changing the token above, however, we manage to obtain a DPG-achieving 
ITM Mdpg that is BiTR against affine tampering functions. Its description is given 
in Fig. 0 First, we show Md pg achieves parameters for DPG-commitment. Roughly 
speaking, the protocol in the normal mode generates a random tuple (g, h, §1, 52), by 
multiplying random numbers gi and g-2 (from Md pg ) and random numbers h\ and /12 
(from the party). Therefore, the probability that the tuple (g, h, gi, <72) is a DH tuple is 
negligible since gi and <72 are uniformly distributed. In the extraction mode, however, 
the simulator emulating T wra ,p can rewind the ITM to cause (g, h, gi , g-2) to be a DH 
tuple. Specifically, the simulator picks a random DH tuple (g, h, gi, gz) and, after find- 
ing out the values g\, g-2, rewinds the machine right before the second round and sends 
hi = gi/gT for i = 1 , 2 , Under the DDH assumption, parameters from the normal 
mode and from the extraction mode are indistinguishable. 

More importantly, Md pg is BiTR against affine tampering functions. To achieve 
BiTR security, we introduce X\ and X2. As before, suppose that the state for g\ is 
changed from n to ar\ + b. In the second round, the simulator — given hi and X\ 
— has to send appropriate h/ and x\ to T wrav such that g\ = g ^ ar I+6 ) x i h\ = g riX 1 h ! x . 
This means that h[ = g z h\ where 2 = (ar\X\ + bx\ — rix 1 /). The good news is that 
although the simulator doesn’t know n , it does know how to pick x\ to satisfy the equa- 
tion: x’i = ax 1 . The value h\ can be computed subsequently from the above equation. 
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Theorem 5. The ITM M dpg in Fig.^is T a \ f -BiTR. 

Furthermore, the way the ITM M dpg uses a signature scheme is simple enough (it sim- 
ply passes through whatever it receives from the signature token) and we can easily 
extend the above lemma to prove that M dpg is universal BiTR parent. We also show 
that the ITM for the Okamoto signature scheme M oka is modular- T a ff -BiTR when used 
with M dpg . 

Lemma 6. ITM M oka in Fig. \7\ is modular-T^-BiTR with respect to {M dpg \ M oka ). 

Applying the composition theorem (Theorem[!]) along with Theorem 0 and Lemma 
0to the above scheme, we obtain a BiTR token that gives a UC commitment based on 
corollary 0 

Corollary 7. (M dp!l : M oka ) is T^-BiTR. 

5 BiTR Protocols against General Classes of Tampering Functions 

5.1 BiTR Protocols from Non-malleable Codes 

In this section we will see how the BiTR property can be derived by implementing an 
integrity check in the form of an encoding if. A useful tool for this objective is the no- 
tion of non-malleable codes ED- A pair of procedures (E, D) is a non-malleable code 
with respect to tampering functions T, if there is an algorithm S that detects whether 
the state becomes invalid, given only the tampering function t. In particular S should 
satisfy the following property: for all x e {0, 1}" and t £ T, if x = D(t(E(x))) (i.e., 
x stays the same even after applying the tampering t), it holds that S(t) = T with over- 
whelming probability, while otherwise <S(f) is statistically (or computationally) close 
to D(t(E(x))). By encoding the state of a protocol with a non-malleable code it is pos- 
sible to show the following restatement of Theorem 6. 1 of GB under the BiTR security 
framework. 

Theorem 8 am*) . Let T be a class of tampering functions over {0, l} m and (E, D, S ) 
be a non-malleable code with respect to T, where E : {0,1}" — > {0, l} m , D : 
{0, l} m — > {0,1}" and S are efficient procedures. Let M be any ITM whose state 
is of length n. Then M is (T, ip)-BiTR where if = (E. D ). 

The above theorem suggests the importance of the problem of constructing non-malleable 
codes for a given class of tampering functions T. Some positive answers to this diffi- 
cult question are given in GB for a class of tampering functions that operate on each 
one of the bits of the state independently; they also provide a general feasibility result 
for tampering families of bounded size (with an inefficient construction); an important 
characteristic of those solutions is relying on the randomness of the encoding. Here we 
show a different set of positive results by considering the case of deterministic non- 
malleable codes, i.e., the setting where (E, D) are both deterministic functions. 

In our result we will utilize a relaxation of non-malleable codes: ( E , D. Predict ) 
is called a (5-non-malleable code with distance e if for any x £ {0,1}" and t € T, 
it holds that (i) D{E{x )) = x, (ii) the probability that D(t(E(x))) is neither x nor 
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_L is at most 40 and (iii) Predict(-) outputs either T or _L, and | Pr[_D(t(£(a;))) = 
a;] — Pr \Predict{t) = T]| < e. It is easy to see that if e, 5 are negligible the resulting 
code is non-malleable: given that 5 is negligible, property (ii) suggests that D will 
return either the correct value or fail, and thus in case it fails, Predict(-) will return _L 
with about the same probability due to (iii). We call (5 the crossover threshold and e the 
predictability distance. 


5.2 Constructing Deterministic Non-malleable Codes 

Inefficient Construction for Any T. We now consider the problem of constructing a 
d-non-malleable code E : {0, 1}"— >{0, l} m for a given class of tampering functions 
and parameters 8, e. We will only consider the case when 8 > e as the other case is not 
useful. We note that the construction is inefficient for large m and n, but it becomes 
efficient for logarithmic values of m, n. Following this we utilize it in the construction 
of deterministic non-malleable codes. 

For a given t G T consider the graph G that is defined with vertex set V = {0, l} m 
with each edge (u i, u 2 ) having weight w t {u\, u 2 ) = Pr[f(wj) = u 2 ]0 Finding a good 
d -non -malleable code amounts to finding a partition S, S = V \ S of G satisfying the 
following properties that for each t gT: 

- For all u,v G S, it holds that wt(u, v ) < <5. 

- Either (i) Vu G S : YlveS u 't ( u > v ) > 1 — e or (ii) Vu G S : J2 v eS w t(% v ) < f- 

If S satisfies condition (i) (resp., condition (ii)) for a given t G T, we will say that S is 
a repeller (resp., an attractor ) with respect to t. 

We next provide a simple algorithm that is guaranteed to produce a code of non-zero 
rate if such exists. Consider all pairs of vertices {ui , u 2 } and classify them according to 
whether they are repellers or attractors with parameters 5, e. Note that testing whether 
these sets are repellers or attractors requires 0(| Vj) steps. We perform the same for all 
tampering functions t G T and then consider only those sets that appear in the list of 
all tampering functions. Finally, we improve the size of such a selected pair by moving 
vertices from S to S provided that the repeller or attractor property is maintained. We 
note that this approach will enable us to reach a local maximum code nevertheless it is 
not guaranteed to find an optimal code. 

Assume now that the output of the above procedure is the set C C V = {0, l} m . We 
next set n = [log 2 |C|] and consider E : {0, 1}" — ► {0, l} m an arbitrary injection from 
{0, l} 71 to C. The decoding D is defined as the inverse of E when restricted on C, and 
_L everywhere else. We next define Predict as follows. On input t, if C is an attractor, 
then output ok; otherwise output _L (i.e., for the case C is an repeller). 

6 The tampering t may change the codeword x into another valid codeword. 

7 In the above description, we assumed the probabilities Pr[£(c) = u] are known. If they are 
not known, they can be estimated using standard techniques. In particular, to evaluate the 
probability of an event A, repeat k independent experiments of A and denote the success ratio 
of the k experiments as p. Let X; be the probability that the 7-th execution of the event A is 
successful. The expected value of Y = X ^ l=1 is k ■ p. Using the Chemoff bound it follows 
that \p-p\ < 1/N with probability 1 — 7 provided that k = f2(N 2 ln( 7 -1 )). 
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The rate of the constructed code is n/m, while the time-complexity of construct- 
ing E, D, Predict(-) is The size of the circuit evaluating each one of these 

functions is respectively 2", 2 m , \T\. 

Theorem 9. Fix any class of Junctions T. If there exists a code (E, D, Predict ) with 
rate > 0 that is S-non-malleable w.r.t. T and distance e, then such a code is produced 
by the above procedure. 

When does a deterministic non-malleable code exist? The basic idea of the con- 
struction above was to search for a one-sided set of codewords and use it to define the 
non-malleable code. The necessity of one-sidedness is easy to see since if the property 
fails, i.e., e < q u .t < 1 — e for some t and u, the requirement on Predict cannot hold 
in general since it cannot predict with high probability what would happen in the real 
world after tampering a state that is encoded as u. We now provide two illustrative ex- 
amples and discuss the existence (and rate) of a deterministic non-malleable encoding 
for them. 

Example 1 : Set Functions. If T contains a function t. that sets the z’-th bit ofu £ {0,l} m 
to 0, it follows that the code C we construct must obey that either all codewords have 
the z-th bit set to 0 or all of them have the bit set to 1. This means that the inclusion 
of any bit setting function in T cuts the size of the code | C | by half. There is no non- 
malleable code when the collection T contains Set functions for every bit position (this 
is consistent with the impossibility result of m for algorithmic tamper proof security 
when Set functions are allowed for tampering). 

Example 2: Differential Fault Analysis |[8|. Consider a single function t which flips 
each 1-bit to a O-bit with probability (3. Consider a code C C {0, l} m for which it 
holds that all codewords in C have Hamming distance at least r between each other 
and 0 m £ C. Then it is easy to see that S, the probability of crossover, is at most (3 r . 
Further, now suppose that t is applied to an arbitrary codeword u in C other than 0 m . 
We observe that the number of l’s in u is at least r (otherwise it would have been too 
close to 0 m ). It follows that t will change some of these l’s to 0’s, with probability at 
least 1 — (1 — /3) r . It follows that we can predict the effect of the application of t with 
this probability when we restrict to codewords in C \ {0 m }. In summary, any code C 
over {0, l} m with minimum distance r that contains 0 m allows for a f3 r -non-malleable 
code with (1 — (3) r for t using the code C \ {0 m }. 

We can extend the above to the case when a compositions of t are allowed. Note 
that a sequence of a applications of t will flip each 1-bit to a 0-bit with probability 
(3 + (1 - f3)f3 + . . . + (1 - /3)° _1 /3 = 1 - (1 - ff) a . The encoding now has crossover 
(1 — (1 — f3) a ) r < e~ ( ' 1 ~^ a ' r . Thus, from < S, we obtain r > (1/(1 — 

f3)) a ln(l /S), i.e., when [3 is bounded away from 1, the minimum distance of the code 
grows exponentially with a. 

Efficient Construction for Localized T. Now, we show a simple way to use the 
(inefficient) construction of the beginning of the section with constant rate and any 
cross-over 8 < 1/2, to achieve an efficient construction with negligible cross-over (and 
thus, BiTR security for any protocol M whose state is encoded with the resulting code), 
when the class contains only functions that can be split into independent tampering 
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of local (i.e., logarithmically small) blocks. Here we consider a tampering class T of 
polynomial size. Roughly speaking, the construction is achieved first by applying a 
Reed-Solomon code to the overall state and then by applying the d-non-malleable code 
to the resulting codeword in small blocks. Let T f denote T x ■ ■ • x T (with i repetitions). 

Theorem 10. Let k be a security parameter. Let T be a class of functions over {0, l} m 
with m = 0(log k) for which a S-non-malleable code exists and is efficiently con- 
structible with rate r. Then there is an efficiently constructible deterministic 
non-malleable code w.r.t. T e for any rate less than (1— 5) r provide di/ log i = a; (log k). 

Acknowledgement. We are grateful to Li- Yang Tan and Daniel Wichs for useful dis- 
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